Categories
Health Law Highlights

Checking the Pulse: An Approach to Telehealth Privacy and Cybersecurity Due Diligence

Summary of article from Troutman Pepper, by Brent Hoard, Emma Trivax, Erin Whaley:

The rapid expansion of telehealth introduces complex privacy and cybersecurity challenges, impacting financing or acquisition decisions in the health care sector. A strategic pre-diligence review is advised to identify potential risks and regulatory environment, including HIPAA, FTC’s Health Breach Notification Rule, state-specific privacy laws, and international privacy laws. The pre-diligence review should also include an examination of the target’s privacy policy, website, and data practices. This information should then inform a comprehensive due diligence process, including the development of a request list and a framework for organizing diligence issues. Finally, a plan should be put in place to address any identified compliance risks or business issues pre- and post-acquisition.

Categories
Health Law Highlights

HHS Must Take Immediate Action to Improve Cybersecurity at Large Healthcare Organizations

Summary of article from The HIPAA Journal, by Steve Adler:

Senator Ron Wyden has called on the Department of Health and Human Services (HHS) to take immediate action against large healthcare companies to strengthen their cybersecurity practices. He has criticized HHS for its lack of regulation and oversight, particularly in light of recent cyberattacks on major healthcare organizations, such as Change Healthcare and Ascension. Wyden has recommended the development and enforcement of minimum cybersecurity standards for systematically important entities (SIEs), including resilience to cyberattacks and business continuity. He also suggested that the HHS should stress test SIEs and prioritize their audits. Moreover, he has urged HHS to provide technical assistance and guidance to smaller healthcare organizations through the Centers for Medicare & Medicaid Services (CMS)’s Quality Improvement Organizations and Medicare Learning Network programs.

Categories
Health Law Highlights

Cybersecurity Policy – Developments to Watch

Summary of article from FiscalNote, by Nicole D’Angelo:

Cybercrime costs are projected to rise from $9.22 trillion in 2024 to $13.82 trillion by 2028, with new threats emerging due to advancements in technology, particularly AI. Governments are increasingly focusing on cybersecurity, with several key legislations proposed in 2024, including the Healthcare Cybersecurity Improvement Act and the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) in the US, and the EU AI Act, Network and Information Security 2 Directive (NIS2), and Digital Operation Resilience Act (DORA) in the EU. The rise of AI is also leading to new cybersecurity risks, with governments focusing on ensuring AI systems are secure and ethical. The concept of “Security by Design” is gaining traction, encouraging developers to integrate security measures into new products. The Cybersecurity and Infrastructure Security Association (CISA) is offering support to high-risk sectors, such as healthcare and education, to help them mitigate sophisticated cyberattacks.

Categories
Health Law Highlights

HHS Agency Launches Program to Improve Cyber Resiliency in Hospitals

Summary of article from The HIPAA Journal, by Steve Adler:

The Advanced Research Projects Agency for Health (ARPA-H), a Department of Health and Human Services (HHS) agency, has initiated a cybersecurity program aimed at enhancing and automating cybersecurity in U.S. hospitals. The program, called Universal PatchinG and Remediation for Autonomous DEfense (UPGRADE), will invest over $50 million to develop software tools to bolster network defenses against cyberattacks. The software will help identify and mitigate vulnerabilities in hospital systems, intending to reduce the time devices remain vulnerable from several months to a few days. ARPA-H is seeking proposals for the creation of a vulnerability mitigation platform, development of digital twins of hospital equipment, and methods for auto-detecting vulnerabilities and auto-developing defenses. The UPGRADE program is part of HHS’s broader strategy to improve cyber resilience across the healthcare sector.

Categories
Health Law Highlights

OCR HIPAA Audit Program to Commence in 2024

Summary of article from The HIPAA Journal, by Steve Adler:

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 mandates periodic audits of HIPAA-regulated entities by the Office for Civil Rights (OCR) to assess HIPAA compliance, with a focus on the HIPAA Security Rule. OCR has confirmed that audits will be conducted in 2024. The increasing rate and scale of data breaches suggest inadequate compliance with the HIPAA Security Rule among healthcare organizations. OCR aims to improve future audit programs and cybersecurity across the healthcare sector, with a particular focus on risk analysis and management provisions of the HIPAA Security Rule. OCR is working on an update to the HIPAA Security Rule, expected to be finalized by the end of the year, to reflect changes in technology and working practices, including the adoption of cloud technology, encryption, and multifactor authentication.

Categories
Health Law Highlights

A Comprehensive Guide to Creating a Sustainable Cookie Program

Summary of article from IAPP, by Jodi Daniels, CIPP/US:

Managing cookies is essential for compliance with privacy and data protection laws worldwide. Establishing a cookie governance program involves designating roles for program leadership, creating a comprehensive policy for cookie use and removal, and implementing systems to manage user consent. Regular audits and privacy impact assessments for new cookie use are necessary to ensure ongoing compliance. Employees should be trained on the cookie program and privacy practices, and privacy notices must accurately reflect the company’s cookie practices. As technologies and privacy laws evolve, businesses should regularly review and update their cookie governance program to maintain compliance.

Categories
Health Law Highlights

UnitedHealth Paid Hackers $22 Million Ransom

Summary of article from CNBC, by Ashley Capoot:

UnitedHealth Group confirmed the company paid a $22 million ransom after hackers breached its subsidiary, Change Healthcare, affecting the healthcare sector broadly. The breach left many doctors unable to fill prescriptions or get paid for their services temporarily. Witty revealed that the cybercriminals accessed Change Healthcare through a server that lacked multi-factor authentication, a security measure now implemented across all UnitedHealth’s external-facing systems. The breach compromised files containing protected health information and personally identifiable information, with a data review ongoing. UnitedHealth is working with regulators to assess the breach and notify affected individuals, while also implementing measures to prevent future cyberattacks.

Categories
Health Law Highlights

Rehab Hospital Chain Hack Affects 101,000; Facing 6 Lawsuits

Summary of article from GovInfo Security, by Marianne Kolbasuk McGee:

Ernest Health, a Texas-based operator of rehabilitation hospitals, is facing multiple federal proposed class action lawsuits following a ransomware attack that potentially compromised the sensitive information of over 101,000 individuals across several states. The company reported 33 separate breaches involving a network server and a HIPAA business associate at rehabilitation and long-term care hospitals in 12 states. The lawsuits allege that Ernest Health’s negligence in failing to protect sensitive personal information puts the plaintiffs at risk of identity theft and other crimes. The compromised information includes names, addresses, birthdates, medical record numbers, health insurance plan member IDs, claims data, diagnosis, and prescription information, with some Social Security numbers and driver’s license numbers also affected. In response to the incident, Ernest Health has implemented additional safeguards and technical security measures to further protect and monitor its systems.

Categories
Health Law Highlights

How Pharmacies Can Protect Patient Data From Cyber Threats

Summary of article from Specialty Pharmacy Continuum, by Karen Blum:

Pharmacies, both large and small, are increasingly targeted by sophisticated cyberattacks due to their databases of patient financial and health information. The breaches can lead to identity theft and drug diversion, with hackers using advanced tactics to gain access to data. To mitigate these risks, pharmacies should establish a robust cybersecurity plan, keep it updated, and conduct regular staff training. Vetting vendors for their data protection measures and having a contingency plan for data breaches are also crucial. In case of a breach, pharmacies should comply with all legal requirements, including notifying affected individuals and the Federal Trade Commission.

Categories
Health Law Highlights

Health Care Giant Comes Clean About Recent Hack and Paid Ransom

Summary of article from Ars Technica, by Dan Goodin:

Change Healthcare, a US health care services provider, was attacked by ransomware group ALPHV or BlackCat, disrupting the US prescription market for two weeks. The breach occurred due to a compromised account that lacked multifactor authentication (MFA), allowing hackers to access and exfiltrate data. The company paid a ransom of $22 million to ALPHV and spent two weeks rebuilding its IT infrastructure. The attack resulted in a cost of $872 million in the first quarter, leading to accelerated payments and no-interest, no-fee loans of over $6.5 billion to affected providers. Currently, the company’s payment processing is at 86% of its pre-incident levels.