Information Security

Countdown to GDPR Compliance Deadline: May 25, 2018

January 17, 2018 | Stephen S. Wu

The hottest data protection issue for major U.S. businesses this year is compliance with the European Union’s General Data Protection Regulation (GDPR). Even small and medium sized businesses may also need to comply with GDPR. This post covers frequently asked questions about GDPR.

What is GDPR? GDPR[1] is the European Union’s comprehensive data protection law that takes the place of 1995’s Data Protection Directive 95/46/EC.[2] By “data protection,” I am referring to both privacy and security. GDPR collects, clarifies, harmonizes, and expands data protection requirements throughout the European Economic Area (EEA). The European Economic Area consists of the 28 countries of the European Union plus Norway, Iceland, and Liechtenstein.

Why is GDPR such a concern for U.S. businesses? First, the fines for violating GDPR are potentially heavy. EU data protection authorities can fine businesses up to 20 million euros ($23.5 million) or 4 percent of their global revenues for violations, whichever is greater. Fines, moreover, will likely be based on the revenue of the global parent and any subsidiaries involved with the violations. Second, U.S. businesses find GDPR to be complex and unfamiliar. Questions arise concerning jurisdictional scope, defining the kinds of personal data covered, obtaining consents from individuals, maintaining an audit trail of consents, managing cross-border data flows, and handling new forms of individual rights given to EEA residents.

Data Disposal – a Key to HIPAA Security

November 15, 2017 | Stephen S. Wu

Healthcare providers, health plans, health care clearinghouses, and their business associates have an obligation under the Health Insurance Portability and Accountability Act (HIPAA) to protect patient health information protected under the law. Regulations issued by the Department of Health and Human Services (HHS) under HIPAA require HIPAA covered entities and their business associates to implement policies and procedures to address the disposal of electronic protected health information (PHI) and the hardware or electronic media on which it is stored. As a result, secure data disposal is a key process for HIPAA covered entities and their business associates.

The covered entity or business associate must have policies and procedures to ensure PHI cannot be inadvertently disclosed during or after disposal or reuse of its storage media. Next to the theft of lost and stolen laptops and media, the second most common subject of enforcement by the HHS Office for Civil Rights (OCR) has been improper disposal of PHI. For example, South Shore Hospital near Boston faced an attorney general enforcement action after the hospital retained a data management company to dispose of computer tapes containing PHI, but the tapes were lost in transit. The hospital failed to delete the PHI from the tapes before shipping them.[1] In another case, the OCR forced Affinity Health Plan to pay over $1.2M after it returned photocopiers to a leasing company without first removing electronic PHI from them.[2]

Some of the OCR enforcement activities concerned cases involving the improper disposal of paper PHI. The security of paper PHI falls under the Privacy Rule, rather than the Security Rule.[3] In one of the OCR cases, workers left boxes of paper medical records on a retiring physician’s driveway while he was away.[4] In one attorney general enforcement action, the Massachusetts attorney general sued former owners of a medical billing practice and four pathology groups after they improperly disposed of paper records with sensitive PHI in a public dump, which were found by a Boston Globe photographer. The former owners paid $140,000 to settle the claim.[5]

Meetup on Lessons Learned from the Equifax Data Breach

October 13, 2017 | Silicon Valley Law Group

SVLG Shareholder Stephen Wu will host a conference call program on the recent Equifax data breach on October 25, 2017 at 10 am Pacific/1 pm Eastern. While the Equifax is not the largest ever in terms of the total number of records affected, by some estimates, it affected about half of the population in the United States. With a breach that large, legislators and regulators are considering what new policies may help to prevent future large-scale breaches.

For businesses that create, receive, maintain, and transmit personal data, the Equifax breach raises the question of what changes are necessary to keep up with evolving data security threats. According to news reports, the breach occurred because of a failure in patch management — a failure to implement a publicly available patch to a known security vulnerability for a period of months. Are there emerging threats that warrant changes in patch management practices? Or did the Equifax breach occur because of the company’s failure to take care of the basic patch management steps. We will explore these questions in this program.

The program will generally explore the technical and legal ramifications of the breach. What are the prospects for liability? What compliance challenges does the breach highlight? Are there changes in documented practice and procedure that the breach would suggest?

Is Your Company a HIPAA Business Associate?

October 7, 2017 | Stephen S. Wu

If your business provides services to healthcare providers or health insurance companies, your business may have data privacy and security requirements under a federal law called “HIPAA” (the Health Insurance Portability and Accountability Act). If your business offers an online service or application, the first time you may have heard of HIPAA is when your potential customer asks you to sign a “business associate agreement.” Even if you don’t sign a business associate agreement, you may have compliance obligations under HIPAA. And if you fail to comply with HIPAA, you may face penalties and liabilities for violations.

Health records are among the most sensitive sets of information about us. The results of an unauthorized disclosure of health records could be devastating. Leakage of health records could lead to victims’ embarrassment, stigma, job loss, and even identity theft. Following concerns about the privacy and security of health records in the 1990s, the public began to demand protection to ensure that the healthcare industry would implement controls over what information was gathered from patients, how the information could be shared, and the secure management of that information. When Congress overhauled the healthcare laws and called for greater use of electronic transactions, Congress was aware of the need for protections over the privacy and security of health information.

The need for simplifying the administration of healthcare, coupled with a public concern over privacy and security, prompted Congress to include requirements for privacy and security in landmark healthcare legislation enacted in 1996. The 1996 legislation, called the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”),[1] has had a broad impact on the healthcare industry since its enactment, transforming practices for creating, storing, managing, transmitting, and disclosing health information in the United States. Later, Congress passed the Health Information Technology for Economic and Clinical Health Act, also called the “HITECH Act.”[2]

Equifax Breach Spotlights Information Security Legal Risks

September 26, 2017 | Stephen S. Wu

On September 7, 2017, Equifax Inc. announced a security breach involving the compromise of sensitive personal information of approximately 143 million U.S. consumers. Attackers compromised Social Security numbers, birth dates, addresses, driver’s license numbers, and credit card numbers. This is the kind of information that could help attackers engage in identity theft. This isn’t the largest breach ever in terms of the number of unique accounts; the Yahoo breach involved approximately 1.5 billion accounts. Nonetheless, the fact that the number of affected individuals is approaching half of the U.S. population and involves sensitive information that could be used for identity theft, the Equifax breach is far more concerning than the Yahoo breach.

What caused the breach? The Apache Software Foundation reported on September 9 that attackers compromised Equifax’s systems by exploiting a vulnerability in the Apache Struts Web Framework. It appears that Equifax failed to implement an update that would have prevented the attack. Thus, WIRED magazine is reporting that the Equifax breach was entirely preventable.

The steady stream of news about data breaches emphasizes the importance of rigorous enterprise security programs. The consequences for the breached company are enormous. Companies sued for data breaches are paying staggering amounts to investigate and settle the cases against them. For instance, The TJX Companies set aside $107 million to cover the litigation against it and regulatory actions. Heartland Systems set aside $73.3 million for breach expenses in 2009. The loss of sales, reputation, profit, and ultimately shareholder value may bring a company to its knees. At the time of the Sony breach, for instance, the company’s entire information technology infrastructure was down in order to mitigate the effect of the attack against it. Workers were using personal devices to continue conducting company business.

Healthtech Devices Raise Security Compliance and Liability Issues

December 19, 2016 | Stephen S. Wu

Healthtech devices are increasingly common. People are wearing sensor devices that monitor fitness metrics. They can count steps and distance walked or run, calories burned, elevation changes, and heart rate. In the future, people may swallow sensor devices that can monitor or transmit video of the digestive system, may have sensor devices in their bloodstream monitoring the level of a medication, or may ingest smart pills that detect diseases. An organization can also embed devices in a patient, such as a catheter for an insulin pump, a pacemaker, or microchips placed under the skin.

With all of these devices, various security vulnerabilities may be present. Hackers can exploit vulnerabilities to take control of them or otherwise tamper with them. Devices that communicate with systems outside the body entail the risk of interception or interruption. Moreover, once systems collect data from devices on or in the body, the systems are potential targets for attack.

To mitigate these risks, the device manufacturers should design their products with security features in mind. They should thoroughly test the device during the design phase to determine if vulnerabilities pose risks to users. They should have an independent third party test the device to check for vulnerabilities and seek any available security certifications for the device. Finally, the vendor hosting the applications and data needs to secure the data and the systems collecting the data. It should use transmission security procedures and technology to secure the communications with the device, encrypt the collected data, and manage access to the infrastructure supporting the devices.

Stephen Wu’s New HIPAA Book and 9/28/16 Presentation

September 16, 2016 | Silicon Valley Law Group

Silicon Valley Law Group is pleased to announce the publication of Attorney Stephen S. Wu’s new book: “A Guide to HIPAA Security and the Law – Second Edition.” The American Bar Association published his book last month. The book provides detailed information about healthcare information technology security legal requirements and how covered entities and business associates can comply with them.

Also, please join us for a special Meetup presentation, in which Steve Wu will share his thoughts on an important topic covered in one of his book’s chapters: the impact of emerging technologies on HIPAA security compliance. The program is on September 28, 2016 at 10:00 a.m. Pacific Time at SVLG’s offices. A dial-in is available for those unable to attend in person.

The Department of Health and Human Services issued the HIPAA Security Rule in 2003 to impose information technology security requirements on HIPAA covered entities: healthcare providers, health plans, and healthcare clearinghouses. Later legislation and regulation also imposed HIPAA security requirements on various “business associates” of these covered entities. Despite some changes in coverage and the breach notification rule, the core HIPAA security requirements have remained unchanged since 2003. Nonetheless, technology trends such as cloud computing, social media, and mobile computing required applying the existing rules to new technologies. Moreover, we are now facing dramatic and sweeping changes with augmented and virtual reality systems, Big Data, 3D printing, healthtech, the Internet of Things, robots, and artificial intelligence systems.