1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

HHS Issues Warning About Phishing Campaign Disguised As Official Communication

As part of its efforts to assess compliance with the HIPAA Privacy, Security and Breach Notification Rules, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) engages in audits of covered entities and their business associates.

On November 28, 2016, the OCR issued an alert warning covered entities about a phishing e-mail that is being circulated on mock HHS Departmental letterhead under the signature of OCR’s Director, Jocelyn Samuels.  The e-mail purportedly prompts the receiver to click a link regarding possible inclusion in the HIPPA Privacy, Security, and Breach Rules and Audit Program, and directs the recipient to a non-governmental website.  The phishing e-mail originates from the e-mail address OSOCRAudit@hhs-gov.us and directs individuals to http://www.hhs-gov.us.  This is a slight difference from the official e-mail address for the HIPAA audit program, OSOCRAudit@hhs.gov, and the official HHS website http://www.hhs.gov.

The OCR advises covered entities and their business associates to alert employees of this issue and take note that official communications regarding the HIPAA audit program are to be sent to selected auditees from the official e-mail address OSOCRAudit@hhs.gov.

A copy of the OCR alert can be found here.

If you or one of your entities has received this phishing e-mail, the Dentons Privacy and Cybersecurity Law Group is available to help you navigate next steps.

HHS Issues Warning About Phishing Campaign Disguised As Official Communication

FTC Announces New Guidance on Ransomware

On November 10, 2016, the U.S. Federal Trade Commission (FTC) released new guidance for businesses and consumers on the impact of, and how to respond to ransomware.  Ransomware is a form of malicious software that infiltrates computer systems or networks and uses tools like encryption to deny access or hold data hostage until the victim pays a ransom.  Ransomware incidents have increased over the past year, including a number of high-profile attacks on health care organizations.

Business Guidance

For businesses, the FTC released Ransomware – A closer look with a companion video Defend against Ransomware.  A copy of both can be found here.

According to the FTC, if your business holds consumers’ sensitive information “you should be concerned about the threat of ransomware.”  The FTC notes it can impose “serious economic costs on businesses because it can disrupt operations or even shut down a business entirely.”

In order to defend against ransomware attacks, the FTC recommends businesses invest in prevention through:

  • Training and education: Implement education and awareness programs to train employees to exercise caution online and avoid phishing attacks.
  • Cyber hygiene:  Practice good security by implementing basic cyber hygiene principles (including updating software, and implementing new procedures for users).
  • Backups:  Backup data early and often.
  • Planning:  Plan for an attack.  Develop and test incident response and business continuity plans.

For those businesses hit with a ransomware attack, the FTC recommends organizations take the following steps:

  • Implement the continuity plan:  Have a tested incident response and business continuity plan in place.
  • Contact law enforcement:  Immediately contact law enforcement, such as a local FBI field office, if an attack is discovered.
  • Contain the attack:  Keep ransomware from spreading to networked drives by disconnecting the infected device from the network.

Consumer Guidance

For consumers, the FTC released How to defend against ransomware.  A copy of this guidance can be found here.  The FTC recommends consumers take the following steps to protect against ransomware:

  • Update your software:  Use anti-virus software and keep it up to date.  Set your operating system, web browser and security software to update automatically, and on mobile devices do it manually.
  • Think twice before clicking on links or downloading attachments or applications:  You can get ransomware from visiting a compromised site or through malicious online ads.
  • Back up files:  Back up files whenever possible, and make it part of your routine.

If you are a victim of a ransomware attack, the FTC recommends:

  • Disconnecting the infected devices from the network;
  • Restoring the infected device where possible; and
  • Contacting law enforcement.

Next Steps

If you or your organization becomes a victim of ransomware, or you are interested in developing a comprehensive prevention plan, Dentons’ Privacy and Cybersecurity Group is ready to help.

FTC Announces New Guidance on Ransomware

White House Issues Presidential Directive Coordinating Government Response To “Cyber Incidents”

On July 26, 2016, President Obama issued a new Presidential Directive setting forth the framework for how the United States (US) federal government will respond to “cyber incidents,” whether involving government or private sector entities.  The new directive (PPD-41):

  • Outlines guiding principles governing the federal government’s response to “cyber incidents”;
  • Sets forth the concurrent lines of effort federal agencies shall undertake in responding to any “cyber incident,” whether private or public;
  • Identifies the ways the federal government will coordinate its activities in responding to “significant cyber incidents,” including the establishment of lead US federal agencies; and
  • Requires the US Departments of Justice (DOJ) and Homeland Security (DHS) to maintain updated contact information for public use to assist entities impacted by “cyber incidents” in reporting those incidents to the proper authorities.

Definitions

  • Cyber Incident: PPD-41 defines “cyber incident” as an event “occurring on or conducted through a computer network that actually or imminently jeopardizes the integrity, confidentiality or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident thereon.”
  • Significant Cyber Incident: PPD-41 defines a “significant cyber incident” as one that is “likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.”

Guiding Principles

In carrying out its incident response activities, the federal government is to be guided by the following principles:

  • Shared Responsibility: Individuals, the private sector, and government agencies have a “shared vital interest and complementary roles and responsibilities” in protecting the US from malicious cyber activity and managing cyber incidents and their consequences.
  • Risk-Based Response: The federal government will determine its response actions on an “assessment of the risks posed to an entity, our national security, foreign relations, the broader economy, public confidence, civil liberties, or the public health and safety of the American people.”
  • Respecting Affected Entities:  Federal government responders will “safeguard details of the incident,” to the extent permitted under law, as well as “privacy and civil liberties, and sensitive private sector information[.]”  In the event a “significant” federal government interest is served by a public statement concerning the incident, federal responders are to coordinate their approach with the affected entity.
  • Unity of Governmental Effort:  The efforts of the various governmental entities must be coordinated to “achieve optimal results.”  Therefore, whichever federal agency “first becomes aware of a cyber incident will rapidly notify other relevant” federal agencies in order to facilitate a unified response, and will coordinate with relevant state, local, tribal and territorial governments to coordinate the same.
  • Enabling Restoration and Recovery: Federal response activities are to be conducted “in a manner to facilitate restoration and recovery of an entity that has experienced a cyber incident[.]”

Concurrent Lines of Effort

In responding to a cyber incident, federal agencies are required to take three “concurrent lines of effort:”

  1. Threat response;
  2. Asset response; and
  3. Intelligence support and related activities.

Where a federal agency is the affected entity, it shall undertake a fourth concurrent line of effort “to manage the effects of the cyber incident on its operations, customers and workforce.”

Threat Response

Threat response activities include:

  • Conducting appropriate law enforcement and national security investigative activity at the affected entity’s site;
  • Collecting evidence and gathering intelligence;
  • Providing attribution;
  • Linking related incidents;
  • Identifying threat pursuit and disruption opportunities;
  • Developing and executing courses of action to mitigate the immediate threat; and
  • Facilitating information sharing and operational coordination.

Asset Response

Asset response activities include:

  • Furnishing technical assistance to affected entities to protect their assets;
  • Mitigating vulnerabilities;
  • Identifying other entities that may be at risk;
  • Assessing potential risks to sector; and
  • Facilitating information sharing and operational coordination.

Intelligence Support and Related Activities

Intelligence support and related activities will facilitate:

  • The building of “situational threat awareness and sharing of related intelligence;”
  • The integrated analysis of threat trends and events;
  • The identification of knowledge gaps; and
  • The ability to degrade or mitigate adversary threat capabilities.

Impacted Government Agency

An affected federal agency will engage in a fourth concurrent line of effort to manage the impact of a cyber incident, which may include:

  • Maintaining business or operational continuity;
  • Addressing adverse financial impacts;
  • Protecting privacy;
  • Managing liability risks;
  • Ensuring legal compliance;
  • Communicating with affected individuals; and
  • Dealing with external affairs.

Architecture of Federal Government Response Coordination For Significant Cyber Incidents

PPD-41 directs the federal government to coordinate its activities in response to a “significant cyber incident” in three ways: (1) National Policy Coordination; (2) National Operational Coordination; and (3) Field-Level Coordination.

National Policy Coordination

The National Security Staff’s Cyber Response Group (NSC CRG) will “coordinate the development and implementation” of the US “policy and strategy with respect to significant cyber incidents affecting the” US or “its interests abroad.

The NSC CRG is a White House led Assistant Secretary level interagency policy coordination group that coordinates policy related issues for the National Security Council and the Homeland Security Council review as outlined in Presidential Policy Directive-1.

National Operational Coordination

  • Agency Enhanced Coordination Procedures: Each federal agency that regularly participates in the CRG shall “establish and follow enhanced coordination procedures as defined in the annex” to PPD-41 “in situations in which the demands of responding to a significant cyber incident exceed its standing capacity.”
  • Cyber Unified Coordination Group:  A Cyber Unified Coordination Group (UCG) will serve as the “primary method for coordinating between and among” federal agencies “in response to a significant cyber incident as well as for integrating private sector partners into incident response efforts.”  The Cyber UCG will be formed at the direction of the National Security Council when two or more federal agencies request its formation.  A Cyber UCG will also be formed when a “significant cyber incident affects critical infrastructure owners and operators” identified by the DHS.
  • Federal Lead Agencies:  In order to ensure the Cyber UCG “achieves maximum effectiveness in coordinating responses to significant cyber incidents,” the following agencies will serve as federal lead agencies:
    • Threat Response: The DOJ, acting through the FBI and National Cyber Investigative Task Force, will lead the government’s “threat response” activities.
    • Asset Response: The DHS, acting through the National Cybersecurity and Communications Integration Center, will lead the government’s “asset response” activities.
    • Intelligence Support: The Office of the Director of National Intelligence, through the Cyber Threat Intelligence Integration Center, will lead the government’s “intelligence support” activities.

Field-Level Coordination

Field-level representatives of the federal asset or threat response lead agencies “shall ensure that they effectively coordinate their activities within their respective lines of effort with each other and the affected entity.”

Unified Public Communications

PPD-41 requires the DHS and DOJ to “maintain and update as necessary a fact sheet outlining how private individuals and organizations can contact relevant” federal agencies about a cyber incident.

To read the full text of PPD-41, click here

White House Issues Presidential Directive Coordinating Government Response To “Cyber Incidents”

Allowing Ontario’s Privacy Tort to Develop in the Health Information Sphere — for Now

In the 1980’s the Supreme Court of Canada pre-emptively ended the development of a common law tort of discrimination. The case, Seneca College v. Bhadauria, stands out as one of the lost opportunities in the development of the common law in Canada. The battle lines have re-emerged in the context of the development of Ontario’s new privacy tort – intrusion upon seclusion. How it will play out is yet to be seen.

Bhadauria

Although the cases involving the tort of intrusion upon seclusion do not mention Bhadauria — that case casts a long shadow and is essential reading to understand what is currently at stake for those who seek to advance a common law privacy tort.

In Bhadauria, the plaintiff complained that she had been repeatedly discriminated by the defendant college on the basis of her ethnic origin. She had applied for 10 positions on the teaching staff of the college and had never been granted an interview. Bertha Wilson J.A., writing for a unanimous bench of the Court of Appeal, recognized a new common law tort of discrimination and concluded that the Human Rights Code did not impede or exclude the development of the common law in this area in Ontario.

The college appealed the decision in Bhadauria to the Supreme Court of Canada with leave of that court. Chief Justice Laskin, writing for the court, concluded that the Human Rights Code was comprehensive legislation providing for a complaint procedure, a board of inquiry and judicial scrutiny. Laskin C.J. concluded that the Human Rights Code had – for better or worse – overtaken the development of the common law and foreclosed any development of the tort based on the anti-discrimination policy underlying the Human Rights Code. There ended the development of the tort of discrimination. Although the Supreme Court was asked to reverse its decision in 2008 in Honda Canada Inc. v. Keays, it did not do so.

Intrusion Upon Seclusion

Fast forward to 2012 and Ontario’s Court of Appeal recognized the tort of intrusion upon seclusion in Jones v. Tsige. In that case the defendant, an employee of the bank, had repeatedly accessed the banking information of the plaintiff who was in a relationship with the defendant’s former husband. The court recognized a new privacy tort and awarded damages for the intrusive behaviour of the defendant.

An open question was whether and how this new tort would fare in the context of Canada’s federal and provincial privacy legislation. The Ontario Court of Appeal made no mention of Bhadauria and the fateful attempt to establish a new tort in that case, although the issue appears to have been on Sharpe J.A.’s mind in his reasons. The defendant argued that privacy was already subject to provincial and federal legislation. However, the court concluded with brief reasons that “it would take a strained interpretation to infer from these statutes a legislative intent to supplant or halt the development of the common law in this area” (para. 49).

The court distinguished the federal Personal Information Protection and Electronic Documents Act (PIPEDA) on the basis that it applied to “organizations” and not an individual tortfeasor. The plaintiff’s recourse would have been to make a complaint against her own employer rather than the culpable person. Moreover, PIPEDA did not speak to the existence of a civil cause of action in Ontario. The Ontario Freedom of Information and Protection of Privacy Act addressed the practices of governments and public institutions and was not applicable.

Personal Health Information – Another Frontier

However, whether the tort could apply in other contexts was not entirely put to rest. There remained an open question whether the tort could apply in respect of conduct or events that might be the subject of a complaint under Ontario’s Personal Health Information Protection Act (“PHIPA”). This issue arose last month in the case of Hopkins v. Kay. The case involved the alleged the improper access of personal health records of 280 patients of a hospital without consent of the patients.

The hospital brought a motion to strike the claim based on the new tort on the basis that PHIPA covered the field. The hospital might have had the better argument based on Bhadauria. Complaints could be made to the Information and Privacy Commissioner of Ontario who has broad administrative and enforcement powers under PHIPA. Once the Commissioner made an order that had become final, a person affected by the order could commence a proceeding in the Superior Court of Justice for damages for actual harm that the person suffered as a result of a contravention of PHIPA. Damages are limited to $10,000 for mental anguish and there is an immunity provision to protect health information custodians and their agents from any action that seeks damages for acts or omission that have been made in good faith and that are reasonable in the circumstances.

Nevertheless, the motions judge refused to strike out the pleading finding that it was not so plaint and obvious that the claim was doomed to fail on the basis that PHIPA covered the field. The motions judge held “[i]f the position of the Hospital is to be sustained, it will require a decision of the Court of Appeal, which […] determines that there is no claim for breach of privacy and that the claim must rest on the provisions of PHIPA.”

The battle is clearly not over.

, ,

Allowing Ontario’s Privacy Tort to Develop in the Health Information Sphere — for Now

OCR releases audit protocols for HIPAA Security, Privacy and Breaches

The Department of Health & Human Services (HHS) is required under Section 13411 of the HITECH Act to conduct periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. To implement this mandate, HHS’ Office for Civil Rights (responsible for enforcing the HIPAA Privacy and Security Rules) piloted an audit program of covered entities to assess privacy and security compliance. The OCR HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit mandate. OCR has now published audit protocols for HIPAA Security and HIPAA Privacy and Breach. The protocols may be found at: http://ocrnotifications.hhs.gov/hipaa.html. The audit protocols cover Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures. The protocols also cover Security Rule requirements for administrative, physical, and technical safeguards. In addition, the protocols cover requirements for the Breach Notification Rule. Covered entities and business associates should review the OCR protocols and self-assess their data privacy and security program against them to better assess their own HIPAA compliance and implement enhancements or corrective actions that may be necessary to improve their programs.

 

 

OCR releases audit protocols for HIPAA Security, Privacy and Breaches