NIST Publishes Critical Software Definition for U.S. Agencies
President Biden’s Cybersecurity Executive Order requires all federal agencies to reevaluate their approach to cybersecurity, develop new methods of evaluating software, and implement modern security approaches to reduce risk, such as encryption for data at rest and in transit, multi-factor authentication, and using a zero-trust approach to security. One of the first requirements of the Executive Order was for the National Institute of Standards and Technology (NIST) to publish a definition of critical software, which the Cybersecurity and Infrastructure Security Agency (CISA) will use to create a list of all software covered by the Executive Order and for creating security rules that federal agencies will be required to follow when purchasing and deploying the software. These measures will help to prevent cyberattacks such as the SolarWinds Orion supply chain attack that saw the systems of several federal agencies infiltrated by state-sponsored Russian hackers. The Executive Order required NIST to publish its critical software definition within 45 days. NIST sought input from...
Government Watchdog Makes 7 Recommendations to HSS to Improve Cybersecurity
The Government Accountability Office has published a report following a review of the organizational approach to cybersecurity of the U.S. Department of Health and Human Services (HHS). The study was conducted because both the HHS and the healthcare and public health sector are heavily reliant on information systems to fulfil their missions, which include providing healthcare services and responding to national health emergencies. Should any information systems be disrupted, it could have major implications for the HHS and healthcare sector organizations and could be catastrophic for Americans who rely on their services. “A cyberattack resulting in the disruption of IT systems supporting pharmacies, hospitals, and physicians’ offices would interfere with the approval and distribution of the life-saving medications and other products needed by patients and healthcare facilities,” said the GAO in the report. The HHS must implement safeguards in place to protect its computer systems from cyber threat actors looking to obtain sensitive data to commit fraud and identity theft,...
Email Data Breaches Reported by UofL Health and Jawonio
UofL Health has started notifying 42,465 patients that some of their protected health information (PHI) was sent to an incorrect external email address. The Louisville, KY healthcare system sent notification letters to affected patients on June 7, 2021 advising them about the exposure of some of their PHI. UofL Health was contacted the following day by the owner of the external domain and was provided with technical evidence that showed the emails had not been viewed by anyone and had been permanently deleted. Some patients whose PHI was exposed were offered complimentary identity theft protection services. While it has now been confirmed that PHI had not been viewed and is no longer accessible, UofL Health said any patient who was offered identity theft protection services will still be able to sign up for them free of charge. “We are relieved that our patients’ information is not at risk as a result of this incident, though we wish that information would have come to us sooner,” said UofL Health in a website notice to its patients. UofL Health did not state in its breach notice...
Ohio Hospital Worker Snooped on 7,300 Patient Records over 12 Years
A former employee of Aultman Health Foundation accessed 7,300 patient records without authorization for almost 12 years before the HIPAA violation was discovered. The employee was provided with access to patient records to fulfil duties related to coordinating patient care but was discovered to have accessed patient records when there was no legitimate work reason for doing so. The types of information accessed included patient names, addresses, dates of birth, health insurance information, diagnosis and treatment information, and Social Security numbers. Aultman said it suspended the employee’s access to patient records as soon as the privacy violation was uncovered, and an investigation was immediately launched to determine the nature and scope of the HIPAA violation. The investigation revealed the employee accessed patient records without authorization from September 14, 2009 until April 26, 2021. The employee was terminated for violating HIPAA and hospital policies. Aultman has started notifying patients whose records were viewed. Patient’s whose Social Security number was...
No Private Cause of Action Under HIPAA, but Possible Cause of Action for 14th Amendment Violation
The U.S. Court of Appeals for the Fourth Circuit has ruled that there is no private cause of action in the Health Insurance Portability and Accountability Act (HIPAA) to address improper disclosures of protected health information; however, the ruling suggests there is potentially a cause of action under the 14th amendment when an individual’s privacy is violated. The case, Payne v. Taslimi, named Christopher N. Payne as plaintiff and Jahal Taslimi as the defendant. Payne was a Deep Meadow Correctional Center inmate and Taslimi a prison doctor. Payne took legal action against Taslimi over an alleged improper disclosure of his confidential medical information. Payne alleged Taslimi had approached his bed and stated in a voice loud enough for others to hear that the plaintiff had not taken his HIV medication. Payne alleged staff members, other inmates, and civilians had heard the doctor. In the lawsuit, Payne claimed his medical records were confidential and his HIPAA rights had been violated at Deep Meadow Correctional Center by Taslimi, as well as his right to privacy under the...



