Government Oversight Agencies Need to Give HIPAA Its Teeth to Truly Address PHI Privacy and Security

June 5th, 2006

Today a story ran in the Washington Post about how no fines have yet been given for HIPAA noncompliance.  So far close to 20,000 complaints regarding HIPAA compliance have been with the Department of Health and Human Services (HHS) oversite agencies, the Office for Civil Rights, responsible for the HIPAA Privacy Rule, and the Centers for Medicare and Medicaid Services, responsible for the HIPAA Security Rule.

The article indicates 73% of the complaints (over 14,000) were found to have no violation involved, or the HHS required the covered entities (CEs) involved to fix the problems.  This really is not at all surprising.  Back when HIPAA went into effect the HHS indicated that they would address HIPAA compliance by complaint-driven activities and investigations, and work with the CEs by working with them to fix the problems. 

On February 16 of this year, the HHS released the "HIPAA Administrative Simplification: Enforcement; Final Rule" that became effective March 16 2006 to more clearly define their compliance and enforcement plans.  Within this Enforcement Rule it is specifically stated:

"§ 160.410 Affirmative defenses.
(a) As used in this section, the following terms have the following meanings:
Reasonable cause means circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the administrative simplification provision
violated.
Reasonable diligence means the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.
Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.
(b) The Secretary may not impose a civil money penalty on a covered entity for a violation if the covered entity establishes that an affirmative defense exists with respect to the violation, including the following:
(1) The violation is an act punishable under 42 U.S.C. 1320d–6;
(2) The covered entity establishes, to the satisfaction of the Secretary, that it did not have knowledge of the violation, determined in accordance with the federal common law of agency, and, by exercising reasonable
diligence, would not have known that the violation occurred; or
(3) The violation is—
(i) Due to reasonable cause and not willful neglect; and
(ii) Corrected during either:
(A) The 30-day period beginning on the date the covered entity liable for the penalty knew, or by exercising reasonable diligence would have known, that the violation occurred; or
(B) Such additional period as the Secretary determines to be appropriate based on the nature and extent of the failure to comply.
§ 160.412 Waiver.
For violations described in § 160.410(b)(3)(i) that are not corrected within the period described in § 160.410(b)(3)(ii), the Secretary may waive the civil money penalty, in whole or in part, to the extent that payment of
the penalty would be excessive relative to the violation."

So, you can see this is still apparently the planned course of action.

What does this mean with regard to HIPAA having teeth?  Hmm…well…this pretty much leaves HIPAA gumming the noncompliance meat.

I agree with many of the viewpoints at the end of the Washington Post article.  Many, if not most, CEs, knowing that they will only get in trouble with HIPAA noncompliance if 1) someone complains, and then 2) they are not cooperative, after the fact, with the HHS oversight agencies, will choose to stay their current course and take no compliance actions.  The CEs I’ve spoken to have told me this, and they’ve even blogged about it and discussed it in maillists and discussion groups.  The motivators for compliance have basically been removed. 

The only real motivators now are the penalties for criminal noncompliance, which have been applied twice so far.  Too bad crimes have to occur before actions are taken…isn’t it better to prevent the crimes to begin with by applying security and privacy safeguards? 

It is also really too bad that the government, which is more aggressively pursuing compliance for other regulations, such as SOX and the FTC Act, has taken such a milquetoast attitude with patient information privacy and security.  If HIPAA enforcement is to be effective, it appears that the public will need to be more vocal in their calls to have the regulation enforced.  And, it would be good if the CEs would just do the right thing to protect the privacy and security of protected health information (PHI) and follow the regulations now instead of waiting until their hand is caught in the noncompliance cookie jar.  One alternative may be the FTC Act…most CEs have posted privacy policies on their websites…notice of privacy practices (NPPs) are a requirement of HIPAA.  If CEs do not follow them, couldn’t they be found to be guilty of commiting unfair and deceptive business practices? 

We know the FTC and SEC are diligent in pursuing noncompliance cases…maybe the FTC and SEC heads should have lunch with the HHS head and discuss this issue.

The HIPAA Privacy Rule has been in force since 2003…it’s time the honeymoon period is over.  If the HHS would look at the increasingly large numbers of incidents occurring every week…heck, every day…they should realize enforcement and associated penalties are necessary for compliance and PHI protection.

Which brings me to wonder…how will the VA laptop/hard drive theft be handled through an HHS HIPAA violation investigation?  E&Y was a VA business associate (BA) who lost PHI about 26.5 million individuals…certainly seems something should be done.  Others think so as well…see "Health-privacy coalition seeks HIPAA review of VA." 

Technorati Tags









*ANOTHER* E&Y Laptop Reported as Stolen…in Late February…Containing Data on 243,000 Individuals

June 4th, 2006

Oh, come on now!  I couldn’t believe I was reading yet ANOTHER report of ANOTHER E&Y laptop that has been stolen recently!  ANOTHER stolen from a car…ANOTHER with an unbelievably huge amount of personally identifiable information (PII)…ANOTHER that did not have the data encrypted!  C’mon folks!  If you are information security or privacy professionals, or business leaders of any kind, you really need to step up your efforts to educate your personnel about the risks involved with using laptops, implement encryption on all mobile computing devices, and not allow such inordinately large databases of personal information to be on mobile computing devices.

It is amazing also that the laptop theft occurred in February, but the E&Y client whose PII was on the laptop, Hotels.com, was not notified until May 3. 

The data included names, addresses and credit card information.

"Ernst & Young invites those affected by the incident to enroll in a free credit monitoring service arranged by the auditor."

Why don’t they just go ahead and enroll all those individuals into the credit monitoring service?  Why make the victims have to tell them to do it…it’s likely many of the individuals will not be aware any potential breach has even occurred until they start having problems with their credit reports.  Yeah, sure, letters were mailed to them…but how many will be read?

"The letter from Hotels.com said "Ernst & Young was taking additional steps to protect the confidentiality of its data, including encrypting the sensitive information we provide to them as part of the audit process.""

If you entrust sensitive data, such as PII, to another company, for any reason, you should make it one of your contractual requirements for them to keep the data encrypted.  Their sloppy security is probably going to impact you more than them when they have an incident involving it.

Technorati Tags







Sophos Reports Top Ten List of Malware for May as Well as Arhiveus Ransomware Info

June 2nd, 2006

Those of you interested and intrigued with malware will find a couple of newly released Sophos reports interesting.

Of the top ten malware for May some of the interesting statistics provided include:

  • "Netsky-P worm remains the most widespread piece of malware spreading via email.
  • Sophos identified 1,538 new threats in May, bringing the total of malware protected against to 122,634.
  • The majority of the new threats (85.1%) were Trojan horses, while just 12.3% were worms or viruses.
  • The proportion of email which is virus infected has dropped considerably over the last year as hackers have turned from mass-mailing attacks to targeted Trojan horses. In May 2005, one in every 38 emails was infected, now this number is just one in 141."

And a creative, new, unique malware, Arhiveus, is a type of ransomware that encrypts victims’ computer data, and then attempts to force users into making a purchase from an online pharmacy.

Well, if businesses would keep their data encrypted and backed up to begin with they would not need to worry about this ransomware, would they?  This is a good example of how the cybercrooks are exploiting the human tendency and common business practice of not having adequate security implemented. 

Oh, yes, and not only do encryption and making backups protect your data assets, they also demonstrate due diligence and contribute to compliance with a wide range of laws and regulations.

Technorati Tags









Discount Offered for Workshop That Provides Tools for Helping Privacy and Information Security Officers to Work Most Effectively on Their Common Goals

June 1st, 2006

On May 17 I wrote in this blog about how Information Security and Privacy Professionals MUST Work Together to be Successful and told about the workshop addressing this that Christopher Grillo and I will be teaching June 10 and 11 just before the upcoming CSI NetSec conference in Scottsdale, AZ. 

I’m very happy to learn from CSI today that you can get a discount to attend this workshop.  When registering use the code PRIV06 to get $100 off the workshop price.

We have created a huge amount of reference material for the attendees…according to CSI more than any other workshop they have sponsored…plus tools that took Chris and I literally 100s of hours to create.  If you can make it please join us; the more the merrier!  Plus, the more depth in our sharing of experiences, thoughts and opinions during the workshop.

Technorati Tags




Example of a Noncompliance Action for the USA PATRIOT Act: $600,000 Fine

May 30th, 2006

I am concerned when I am at conferences and professional meetings and I hear presenters telling the attendees, from any industry, that there is really nothing that they need to do to address the requirements of the USA PATRIOT Act, and I’ve heard this communicated several times since the law was enacted in 2001.  Here is a good example that yes, indeed, doing nothing can come back to haunt you…and negatively impact your business with penalties and bad press.

It is rare that you see the USA PATRIOT Act, the follow-up for which is the USA PATRIOT Improvement and Reauthorization Act of 2005, being referenced as being part of actions taken by law enforcement for surveillance, or by regulators as part of the basis for fines.  However, I just ran across a story on the government’s FinCEN site that talks about how noncompliance with the USA PATRIOT Act was used in determining a $600,000 penalty against Liberty Bank of New York…I need to check that site more often, don’t I?

In brief, the Financial Crimes Enforcement Network (FinCEN), Federal Deposit Insurance Corporation (FDIC), and New York State Banking Department (NYSBD) assessed a $600,000 penalty against Liberty Bank of New York for violations of federal and state anti-money laundering laws and regulations. Liberty Bank consented to payment of the civil money penalties without admitting or denying the allegations (this is pretty common with regulatory noncompliance situations).

What did Liberty Bank do…or not do?  FinCEN, FDIC, and NYSBD found they:

  • Failed to implement an adequate Bank Secrecy Act/anti-money laundering program with internal controls and appropriate measures to detect and report money laundering and other suspicious activity in a timely manner.
  • Did not have an anti-money laundering program that complied with information sharing requests from law enforcement under section 314(a) of the USA PATRIOT Act.

I anticipate seeing more, and probably more aggressive/costly, actions taking place with regard to the USA PATRIOT Acts as time goes on…companies need to take notice and be aware; not only for section 314(a), but for all the sections, some of which apply to more businesses than just those considered by the law as a financial institution.

Wonder what section 314(a) is all about?  Here you go:

"SEC. 314. COOPERATIVE EFFORTS TO DETER MONEY LAUNDERING.

(a) COOPERATION AMONG FINANCIAL INSTITUTIONS, REGULATORY AUTHORITIES, AND LAW ENFORCEMENT AUTHORITIES-

(1) REGULATIONS- The Secretary shall, within 120 days after the date of enactment of this Act , adopt regulations to encourage further cooperation among financial institutions, their regulatory authorities, and law enforcement authorities, with the specific purpose of encouraging regulatory authorities and law enforcement authorities to share with financial institutions information regarding individuals, entities, and organizations engaged in or reasonably suspected based on credible evidence of engaging in terrorist acts or money laundering activities.

(2) COOPERATION AND INFORMATION SHARING PROCEDURES- The regulations adopted under paragraph (1) may include or create procedures for cooperation and information sharing focusing on–

(A) matters specifically related to the finances of terrorist groups, the means by which terrorist groups transfer funds around the world and within the United States, including through the use of charitable organizations, nonprofit organizations, and nongovernmental organizations, and the extent to which financial institutions in the United States are unwittingly involved in such finances and the extent to which such institutions are at risk as a result;

(B) the relationship, particularly the financial relationship, between international narcotics traffickers and foreign terrorist organizations, the extent to which their memberships overlap and engage in joint activities, and the extent to which they cooperate with each other in raising and transferring funds for their respective purposes; and

(C) means of facilitating the identification of accounts and transactions involving terrorist groups and facilitating the exchange of information concerning such accounts and transactions between financial institutions and law enforcement organizations.

(3) CONTENTS- The regulations adopted pursuant to paragraph (1) may–

(A) require that each financial institution designate 1 or more persons to receive information concerning, and to monitor accounts of individuals, entities, and organizations identified, pursuant to paragraph (1); and

(B) further establish procedures for the protection of the shared information, consistent with the capacity, size, and nature of the institution to which the particular procedures apply.

(4) RULE OF CONSTRUCTION- The receipt of information by a financial institution pursuant to this section shall not relieve or otherwise modify the obligations of the financial institution with respect to any other person or account.

(5) USE OF INFORMATION- Information received by a financial institution pursuant to this section shall not be used for any purpose other than identifying and reporting on activities that may involve terrorist acts or money laundering activities."

Technorati Tags






VA posts data security information…some good security info/references for everyone

May 29th, 2006

The Veterans Affairs department has established a couple of web sites to provide information about the status of the VA data security breach, and some FAQs concerning the incident.

Besides providing information about the current breach incident investigation, the FAQ also has some links beneficial to anyone concerned with information security.  The following is an excerpt of some of the references.

"Request a free credit report from one of the three major credit bureaus – Equifax, Experian, TransUnion – at www.AnnualCreditReport.com or by calling 1-877-322-8228."
"the fraud department of one of the three major credit bureaus:

Equifax: 1-800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241
Experian: 1-888-EXPERIAN (397-3742);
www.experian.com; P.O. Box 9532, Allen, Texas 75013
TransUnion: 1-800-680-7289;
www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790"

"On May 25, 2005, the VA’s Office of Inspector General (VA OIG) and the FBI announced a $50,000 reward through the Montgomery County Crime Solvers organization, for information that leads to the recovery of a laptop computer and external hard drive that contained personal information for millions of veterans."

Technorati Tags




Privacy, Compliance and International Data Flows

May 26th, 2006

Yesterday I posted a new paper to my site, "Privacy, Compliance and International Data Flows."

In today’s technology and business environment, computers are more mobile and more powerful than ever before. Information is shared more easily, more quickly, and in more ways than previously possible.  One voice-activated command can send a message or document to many different locations throughout the world in milliseconds.  Huge amounts of data can be downloaded onto small mobile computing and storage devices more easily than ever before…and we’ve seen by the ongoing incidents how these mobile devices put data at great risk.

This advanced technology revolution certainly has improved business efficiency and expediency. However, it has also created potential threats to the privacy of personal information and violations of new and emerging data protection laws. In this article I discuss privacy, related laws around the world, compliance and international data flow issues, what organizations need to think about with regard to international data protection, and what they need to do to address the wide range of issues.

Technorati Tags






How to Protect Laptops While Traveling: Great Site for Travel Safety Information of All Types

May 25th, 2006

The continuing thefts and losses of laptops highlights the need to provide ongoing security awareness and training to the people who use these mobile devices to store and process the personal information of customers and employees.

Over the past couple of weeks I have had the pleasure of speaking with Kevin Coffey about laptop thefts, related crimes, and what people need to do to protect their mobile computing devices and storage media when they are in their homes and traveling.  Kevin is Detective Sergeant for a large metropolitan city in California, and also founded and owns his own company, Corporate Travel Safety.

Kevin has amassed a great list of resources on all topics related to travel safety, including how to protect mobile computing devices.  A couple of years ago he also created a laptop theft prevention video that organizations should consider showing as part of their awareness activities.

Technorati Tags






Insider Threat Example: Former Red Cross Employee Commits Crimes with Personal Information on 8,000 up to 1 Million Individuals

May 25th, 2006

A story today in Computerworld reports that former Red Cross worker allegedly used the information to which she had authorized access, including names, social security numbers, and birthdates, to open credit card numbers using their names and then go on shopping sprees.  So far at least four people have been confirmed as being victims of this type of identity/credit card fraud…commonly referenced in the papers as identity theft.

This demonstrates how trusted insiders can do bad things with the information for which they are authorized to use. 

What is interesting is that the report indicates that she "had access to 8,000 blood donors in a database she used in her job," but then it goes on to say "she may have accidentally accessed other records in the larger group." 

So…she actually was authorized to access the entire group, it appears?  You can’t "accidentally" access information that you are not authorized through the system to access.  You can try to use others’ authorizations to access the information, but to "accidentally" access something you would have to have access to it to begin with…through the access control settings.  Kind of like "accidentally" grabbing a wrong-sized shirt out of your closet; you have access to everything in your closet even though you may only wear 3 or 4 of the shirts regularly.

Just think of the potential these personal information opportunists have, with so much access at their fingertips, to sell this information to other criminals and make even more money off their crimes than just opening a few credit card accounts.  She had access to names, Social Security numbers, phone numbers and birth dates.  She was a telephone blood-drive recruiter…why would she need all this access?

The alleged crook "began working at the Red Cross branch in October and was fired on March 2, when the incidents were discovered."  So the Red Cross knew about this in March, but only notified the victims last week?  Two months after the crime was discovered?  And the employee was fired, not immediately arrested? 

"The Red Cross offices in the region last week changed the database software to strictly limit access to any Social Security numbers in the future, Williams [a spokesman for the regional agency] said. Only names, phone numbers and birth dates are now accessible by blood drive recruiters."

Well, access controls should have been set to allow access only to that information necessary for job responsibilities long before this incident.  Unfortunately many organizations do what is easiest up front and give all access to all databases to all their personnel.  This even though it has been a standard of due care for many years now to limit access, through such methods as role-based access control (RBAC) method, to only that which is necessary, and even though growing numbers of regulations, such as HIPAA and GLBA, require such access restrictions.  It’s too bad it often takes an incident for organizations get their 20/20 security hindsight vision.

"The agency is reimbursing any of the affected 8,000 donors if the credit reports can’t be obtained for free. The agency also set up a toll-free hotline to aid any identity-theft victims of the incident and said it’s taking additional security steps to ensure that such an incident doesn’t happen again. All staff members are being reminded, for instance, that donors don’t have to put their Social Security numbers into their Red Cross donor records."

Well, it is good the Red Cross is stepping up as much as they can considering they are a nonprofit agency.  It is such a vital and valuable organization…but incidents like these are so senseless! 

Wouldn’t it be nice if the three credit reporting giants, Equifax, Experian and Trans Union would provide, free of charge, credit monitoring for these individuals?  Yeah, well, I’m optimistic…it’s nice to think they would for an important charity…and to help protect the people, whose information was taken, who have been so kind as to donate their blood so that others can live…but I’m also a realist…

Okay…so just a few of the lessons learned…

  • Give access only to the information necessary for people to perform their job responsibilities.  Use RBAC, access control lists (ACLs), or whatever is most appropriate for your computing environment to limit access to the data items…not just to the entire database.
  • Your authorized users are, and will always be, a threat to the information to which they have access.  Numerous reports support this, including the annual CERT/Secret Service insider threat report; the 2006 report should be coming out soon.
  • Perform due diligence before hiring personnel and giving them access to sensitive information with which they can easily commit crime.
  • Perform continuous monitoring of personnel with access to sensitive information.  Make sure you have appropriate separation of duties to make this effective.
  • Create an incident response and notification plan that will ensure the impacted individuals are notified as soon as possible when someone starts to inappropriately use their information.
  • Provide ongoing awareness and training for information security and privacy.  This will help all your personnel not only know what they should be doing, but also know how to identify when others they work with are doing something wrong.
  • Establish, and consistently enforce, sanctions for policy non-compliance.  This will help to dissuade at least some potential crooks.

Technorati Tags








Reference For Protecting Portable Data

May 24th, 2006

Just a few days ago CSO Online provided a pretty nice resource, and timely considering all the continuing laptop and mobile storage media losses. 

Their "Portable Data Protection Options" provides a nice start for organizations to start planning on protecting their mobile computing devices and storage media, or to quickly see if their current program is not addressing something.  Their list of potential vendors for the product categories listed are very limited…there are many other good vendor solutions available…but it is a place to start. 

I’ve written on this quite a bit.  For one of my recent papers discussing the issues involved, see "Managing Mobile Computing Risks."

Technorati Tags