Skip to content
In a chain of events that should be a wake-up call to any entity using and storing critical health information (and indeed, ANY kind of critical information), Hollywood Presbyterian Medical Center (“HPMC”) has announced that it paid hackers $17,000 to end a ransomware attack on the hospital’s computer systems. On February 5, HPMC fell victim to an attack that locked access to the medical center’s electronic medical record (“EMR”) system and blocked the electronic exchange of patient information. Earlier reports indicated that the hackers had originally demanded $3,400,000.Such “ransomware” attacks are caused by computer viruses that wall off or encrypt data to prevent user access. Hackers hold the data ransom, demanding payment for the decryption key necessary to unlock the data. The attacks are often caused by email phishing scams. The scams may be random or target particular businesses or entities. In the case of HPMC, the medical center’s president and CEO indicated to media outlets that the attack was random, though Brian Barrett, writing for Wired, questioned that assertion.The medical center’s announcement of the resolution of the incident indicates that there is no evidence that patient or employee information was accessed by the hackers as part of the attack. Even if the data was not compromised, the attack led to enormous hassles at the hospital, returning it to a pre-electronic record-keeping system.

We have seen many variations of the ransomware attacks on the increase lately.   Cryptolocker and Cryptowall are the two most prevalent threats, but a Forbes article about the HPMC attack revealed that HPMC was victimized by a variant called “Locky,” which, according to the Forbes article, is infecting about 90,000 machines a day.

Details of the HPMC Incident

On February 2, 2016, three days before the HPMC attack, the Department of Health & Human Services Office for Civil Rights (“OCR”) announced the launch of its new Cyber-Awareness Initiative. That announcement included information on ransomware attacks and prevention strategies. Suggested prevention strategies from OCR included:

  1. Backing up data onto segmented networks or external devices and making sure backups are current.  That protects you from data loss of any kind, whether caused by ransomware, flood, fire, loss, etc.  If your system is adequately backed up, you may not need to pay ransom to get your data unlocked.
  2. Don’t be the low-hanging fruit:  Ensuring software patches and anti-virus are current and updated will certainly help.   Many attacks rely on exploiting security bugs that already have available fixes.
  3. Installing pop-up blockers and ad-blocking software.
  4. Implementing browser filters and smart email practices.

Most of these prevention strategies are HIPAA security and overall general business security measures that ought to be in place for companies across the board. As OCR and the FBI (see below) both indicate, smart email practices and training the workforce on them are key elements to preventing phishing scams.  If you are a HIPAA-covered entity, you should be checking in with Mintz’s Health Law & Policy Matters blog on a regular basis.

FBI on Ransomwaredigitallife03-111715

One of the big questions arising out of the HPMC and other ransomware cases is:  do we pay?   If your business is about to grind to a halt, you likely have no choice.    However, the incident should first be reported to the FBI and discussed with forensics and legal experts who have experience with ransomware in particular.    The FBI’s Ransomware information page provides some tips.  Ransomware attacks should be part of your incident response plan and the “what do we do” should be discussed at the highest levels of the company.

When in Doubt, Don’t Be a Click Monkey!

Before clicking on a link in an email or opening an attachment, consider contextual clues in the email. The following types of messages should be considered suspicious:

  • A shipping confirmation that does not appear to be related to a package you have actually sent or expect to receive.
  • A message about a sensitive topic (e.g., taxes, bank accounts, other websites with log-in information) that has multiple parties in the To: or cc: line.
  • A bank with whom you do not do business asking you to reset your password.CodeMonkey-68762_960x3601
  • A message with an attachment but no text in the body.

All businesses in any sector need to take notice of the HPMC attack and take steps to ensure that they are not the next hostages in a ransomware scheme.  

Tweet

The amended Judicial Redress Act has passed the House and is on its way to the president to be signed into law.  The Act, which we covered in an earlier blog post, gives citizens  of foreign countries the same rights as US citizens in connection with the use by the US government of their personal data, subject to a determination by the Attorney General that the country in question cooperates with the US in sharing law enforcement information, doesn’t impede the flow of personal data to the US for commercial purposes, and meets certain other requirements.  Essentially, the Judicial Redress Act helps assuage the EU’s concerns about government uses of personal data.  The Judicial Redress Act is vital for the EU’s acceptance of the Umbrella Agreement for sharing of data by law enforcement agencies.  It should be helpful for the proposed new “Privacy Shield,” which is currently under review by representatives of Europe’s national data protection agencies.

As we’ve discussed previously, the GDPR significantly limits user consent as a basis for processing personal data.  One interesting question is whether the new rules on consent will kill free apps in Europe.  Free apps typically involve the offer of a service (the app) in exchange for access to personal data (whatever data the app siphons off from my phone, for example, per the terms of use that I probably didn’t bother reading).  Under the GDPR, that may not be a bargain that I, as a consumer, am allowed to make. Continue Reading Will free apps soon be dead in Europe?

 

Just at the end of 2015, the Cybersecurity Information Sharing Act (CISA) was enacted into law as part of the omnibus spending measure passed by Congress and signed by President Obama at right before Christmas.  The legislation combines elements from the versions of CISA that passed the House in April of 2015 and the Senate in October.

Enactment of CISA was driven by the goal of clearing away some of the legal uncertainty and liability risk concerns inhibiting sharing of cybersecurity threat information. Cyber criminals are technologically proficient and constantly innovating, which means that protecting American enterprise networks, industrial control systems, and electronic information systems requires continued vigilance and innovation. There is broad agreement that the nation’s cyber defense posture could be greatly strengthened through more robust and timely sharing of cyber threat information both between the government and the private sector and between private companies themselves.   Continue Reading Happy New Year – Cybersecurity Information Sharing Act

A Massachusetts Superior Court judge held that a plaintiff has standing to sue for money damages based on the mere exposure of plaintiff’s private information in an alleged data breach. The court concluded that the plaintiff had pleaded a “real and immediate risk” of injury despite failing to allege that any unauthorized persons had even seen or accessed that information.  The Massachusetts decision adopts a more relaxed approach to standing than has generally been followed in the federal courts.  The holding, however, may not have broad applicability outside of Massachusetts state court, and does not eliminate potential obstacles to proving the claims asserted. Continue Reading Massachusetts Court: Patients Have Standing to Sue for Data Breach Based on Data Exposure Alone

The European Union Commission has issued a fact sheet on the new General Data Protection Regulation (final post-trilogue text available via Statewatch).  The Commission claims that the Regulation is good for individuals and good for business.  We’ll leave that to readers . . . and history . . . .to decide.

As regulations go, the GDPR is a page-turner, but if you don’t have time to read all 204 pages before the holidays, consider joining our webinar at 1 pm ET today. Registration is here.

 

 

Don’t forget to join us tomorrow afternoon – Tuesday – at 1 PM ET for a webinar discussion on the New EU General Data Protection Regulation. What’s next? What are the key changes? What do you need to do to prepare?

Registration is here.

Continue Reading REMINDER: Webinar TOMORROW — Getting to Grips with the New EU General Data Protection Regulation: Key Changes and What You Need to Do to Prepare

The EU has announced that the Commission, Parliament and Council have reached agreement on the final shape of the General Data Protection Regulation.  The official version will be available early in 2016, but we will be reviewing the details that have been made available so far and providing further information here over the next couple of days.  We’ll start with the bottom line:  the maximum fine for breaches is four percent of annual worldwide turnover.  Big numbers, big goals on the part of the EU.

 

 

The negotiations between the EU and the US for a new data transfer agreement to replace the struck-down Safe Harbor program continue as the clock ticks down to the enforcement deadline of January 31, 2016 (as declared by the EU’s national data protection authorities via the Article 29 Working Party).

While the CJEU’s decision striking down the current Safe Harbor arrangements is usually discussed in isolation as a purely US-EU matter, the decision in fact flows from an earlier intra-EU case, Digital Rights Ireland and Others (C293/12 and C594/12, EU:C:2014:238; decided April 8, 2014) that invalidated the 2006 Data Retention Directive and cast doubt on all mass data collection in the EU by EU and national authorities.  Today, in an feature commentary published by The Cipher Brief, we take a look at some of the key cases in Europe that frame the tension between mass surveillance-based security operations and individual privacy rights.  These cases provide a critical backdrop for understanding the challenges that the EU Commission and the US face in crafting a new Safe Harbor agreement that meets European legal standards.

Written by Jane Haviland

The latest Pew Research Center Report relayed useful information regarding application users’ concerns with sharing personal data.  Ninety percent of app users indicated that how their personal data will be used is “very” or “somewhat” important to them, and influences their decision to download an app.  Sixty percent of users decided against downloading an app when they saw how much personal information they would need to share.  Android 6.0, or Marshmallow, should abate users’ concerns.

The Report looked at the type of permissions sought by apps available in the Google Play store—largely because the public availability of this data and the popularity of the Google Play store.  Google Play apps request a total of 235 unique permissions to access users’ information or phone hardware.  The most common permissions relate to accessing the device’s internet connectivity.  The average app sought five permissions.  The most common permissions sought access to the device’s hardware (i.e., controlling vibration, adjusting volume, etc.) as opposed to personal information.  The Android permissions structure is currently “all or nothing,” meaning the user must grant the app all permissions requested in order to install the app.  The permissions appear at the time of installation, requiring the user to accept them in order to install the app, and can be viewed at any time on the app’s page in the Google Play store.

With Android 6.0, or “Marshmallow,” Google will allow users to pick and choose the permissions they wish to grant.  Permissions will be displayed not at the time of download, but at the moment when the app requires the permission to perform a particular function.  Users can grant or deny the permission, then change the permission setting later.  For instance, the user can allow the app to access the user’s location when using the app, then turn this permission off afterwards.  This change makes the Android permission scheme more like Apple’s.

This change may result in more users for Google Play Store’s apps.  Those users who decline to download an app because of their wariness of sharing too much personal information can take control of what they share at any given time.  Users can refuse to allow access to data, including personal information, all together, or pick and choose when to allow access.  App developers can be less concerned with scaring off potential users by requesting multiple or broad permissions.  This development is good news for users and developers alike and will likely encourage increased and repeated app downloads.