Health Data

HHS Issues Voluntary Cybersecurity Guidelines for the Healthcare Industry

By: Joshua Mooney and Sedgwick Jeanite

On December 28, 2018, the U.S. Department of Health and Human Services (HHS) released “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients,” a detailed set of voluntary guidelines illustrating best practices that healthcare providers may employ to combat five common and significant cyber risks. Those risks are: (1) phishing; (2) ransomware; (3) loss or theft of equipment or data; (4) insider, accidental, or intentional data loss; and (5) attacks against Internet of Things medical devices. The four-volume publication aims to provide voluntary cybersecurity practices to healthcare organizations of all types and sizes, ranging from local clinics to large hospital systems. …

First Joint Cross-State HIPAA Breach Lawsuit Brought in Response to 2015 Cyberattack

By: Michael Jervis

A lawsuit has been filed by the attorneys general of 12 states against a company called Medical Informatics Engineering (MIE) arising out of a 2015 data breach involving stolen medical records for millions of individuals. The complaint generally alleges that MIE and its subsidiary NoMoreClipboard “failed to take adequate and reasonable measure to ensure their computer systems were protected.” The attackers compromised MIE’s WebChart application and as a result were able to obtain personal information for nearly 4 million individuals who were patients of affected providers that used the software. The information obtained included the kind of personally identifiable information typical for such breaches, including names, home addresses, birth dates, social security numbers, email addresses and passwords. …

OIG Recommendations to the FDA for Medical Device Cybersecurity: Foretelling Additional Regulation and Requirements for Controls?

By: Sedgwick Jeanite

With more and more medical devices connected to the Internet of Things (IoT), there is increasing concern over the potential vulnerabilities for cyberattacks against such devices. This vulnerability represents not only greater exposure of manufacturers and healthcare providers employing IoT medical devices, but also insurance carriers who insure against such risks. As a further highlight of this concern, a recent report released by the Office of the Inspector General (OIG) implied that the Food and Drug Administration (FDA) has insufficient controls to respond to cybersecurity problems with medical devices already in the market. The Federal Food, Drug, and Cosmetic Act provides that the FDA’s mission is to ensure that medical devices legally marketed in the United States are safe and effective for their intended uses. …

Talking ‘Bout A (Healthcare Economy) Revolution

By: Rick Borden and Kate Woods

On August 13, 2018, the Centers for Medicare and Medicaid Services (CMS) held the Blue Button 2.0 Developer Conference in Washington, D.C., a gathering of leading healthcare and technology business and thought leaders. Over 350 organizations were represented, from Fortune 500s, to electronic health record companies (EHRs),  and startups. Why were they there? What were they talking about? And what were their lofty goals? …

Internet of Medical Things Resilience Partnership Act of 2017

A new bill called the “Internet of Medical Things Resilience Partnership Act of 2017,” H.R. 3985, was recently introduced in the House of Representatives. If passed as drafted, the bill will establish a working group of public and private entities led by the Food and Drug Administration (FDA) and National Institute of Standards and Technology (NIST) to recommend voluntary frameworks and guidelines to increase the security and resilience of Internet of Medical Things devices. Specifically, the working group will develop “recommendations for voluntary frameworks and guidelines to increase the security and resilience of networked medical devices sold in the U.S. that store, receive, access or transmit information to an external recipient or system for which unauthorized access, modification, misuse, or denial of use may result in patient harm.”

Health Data

Task Force Issues Report on Health Care Industry Cybersecurity Challenges and Recommendations

On Monday, June 5, the Health Care Industry Cybersecurity Task Force (the “HCIC Task Force”) issued its Report on Improving Cybersecurity in the Health Care Industry to Congress. The report highlighted that health care cybersecurity is a “key public health concern that needs immediate and aggressive attention.”

In the report, the HCIC Task Force identified six “imperatives” that must be achieved to increase security within the health care industry.

Read more.