HEALTHCARE INFOSECURITY NEWSLETTER

February 2017

Insurer Slapped With $2.2 Million HIPAA Settlement

Marianne Kolbasuk McGee, Databreachtoday.com, January 18, 2017

In the final days of the Obama administration, the Department of Health and Human Services has issued its second HIPAA enforcement action for 2017. HHS’ Office for Civil Rights has entered a $2.2 million settlement with a Puerto Rican insurance company in the wake of its investigation of a 2011 breach involving a stolen unencrypted USB drive that affected only about 2,000 individuals.

Read More

Life’s a Breach – Sitting on That HIPAA Breach Notification Could Burn You

Sarah L. Bruno, Jade M. Kelly and Lourdes M. Turrecha, Arentfoxadvertising.com, January 19, 2017

On January 9, 2017, Presence Health agreed to settle with the U.S. Department of Health and Human Services (HHS) potential violations under the Breach Notification Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This is HHS’ first enforcement action against a covered entity that reported a breach, but did not do so timely

Read More

Why a HIPAA Security Analysis Is Not Enough

Marianne Kolbasuk McGee, Healthcareinfosecurity.com, January 12, 2017

In recent years, more and more companies across a range of industries have fallen victim to cyber attacks, including Sony Pictures, Yahoo!, and LinkedIn; however, we have yet to see a successful large scale breach of a major U.S. financial institution.

Read More

Healthcare Security Alert: Why Do Doctors Still Use Pagers?

Michael Piscopo, Delta-rsik.net, January 12, 2017

It’s a late Saturday morning and Joe Hacker (aka WF4EAK in underground hacking circles) fires up the software-defined radio (SDR) he bought online for $20 to listen in on the local hospital paging traffic. After all, he is trying to make a few extra bucks to buy a new Xbox, and selling healthcare information on the black market has turned into a lucrative side job. Let’s face it, organizations that are strictly following HIPAA guidelines and other healthcare regulations have made it harder to hack into hospitals. So how’s a hacker supposed to get to that protected healthcare information (PHI) to make some fast cash?

Read More

FTC Files Complaint Against Device Maker Concerning Alleged Failures to Reasonably Secure Routers and Internet Protocol (IP) Cameras

Buckley Sandler, Infobytesblog.com, January 13, 2017

On January 5, the FTC announced that it was initiating and enforcement action against a Taiwanese computer networking equipment manufacturer and its U.S. subsidiary. In a complaint filed with the Northern District of California, the FTC charged that the device-manufacturer failed to take reasonable steps to secure its routers and Internet Protocol (IP) cameras, potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras. Specifically, the FTC alleged that hackers could exploit these vulnerabilities using any of several “simple methods.”

Read More

$475,000 HIPAA Penalty for Tardy Breach Notification

Marianne Kolbasuk McGee, Healthcareinfosecurity.com, January 9, 2017

In a reminder of HIPAA’s tough requirements for breach notification, federal regulators have issued a $475,000 financial settlement and corrective action plan for Chicago-based Presence Health tied to its tardy notification for a 2013 paper records breach affecting only about 800 individuals.

Read More

St. Jude Medical Releases Security Patches for Vulnerable Cardiac Devices

Charlie Osborne, Zdnet.com, January 10, 2017

Reports that St. Jude Medical devices contained severe security flaws which led to a complicated legal battle between the healthcare equipment provider and MedSec have been vindicated, with the FDA supporting the security firm’s findings and St. Jude finally releasing a patch to fix the flaws.

Read More

Stock-Tanking in St. Jude Medical Security Disclosure Might Have Legs

Michael Kan, Compueterworld.com, January 10, 2017

For better or worse, a security firm’s attempt to cash in on software bugs by shorting a company’s stock and then publicizing the flaws might have pioneered a new approach to vulnerability disclosure.

Read More

A 2017 Forecast for HIPAA Enforcement

David Holtzman, Healthcareinfosecurity.com, January 3, 2017

It’s time to dust off the crystal ball to offer predictions for what the Department of Health and Human Services’ Office for Civil Rights might do in 2017 to administer and enforce the HIPAA privacy, security and breach notification rules.

Read More