Tag Archives: guidance

FTC Updates COPPA Compliance Guidance

Anyone who falls under regulations with the COPPA knows the FTC takes children’s privacy seriously.

With more products being marketed towards minors (i.e. internet-connected toys) the Federal Trade Commission revisited compliance requirements under the Children’s Online Privacy Protection Act (COPPA).

The FTC released an update to the ‘Six-Step Compliance Plan for Your Business’ to simplify COPPA compliance for organizations. Several new focus areas are noted in the guidance including:

  • New business models. As technologies evolve, organizations are changing the way they collect data. Evolving data collection activities are addressed in the new update. For example: The update added regulations for voice-activated devices that collect personal information.
  • New products covered by COPPA. COPPA no longer applies strictly to websites and mobile apps. The law now covers a growing list of connected devices that make up the Internet of Things. This includes web-connected toys and other products intended for children that collect personal information, such as voice recordings or geolocation data.
  • New methods for getting parental consent. The revised Compliance Plan discusses two newly-approved methods for getting parental consent: asking knowledge-based authentication questions and using facial recognition to get a match with a verified photo ID.

The FTC offers an additional FAQ resource for organizations that have further questions regarding COPPA compliance.

The FBI also released a related article on privacy risks associated with Internet-connected children’s toys.

OCR Publishes New Cybersecurity Materials & Guidance

The Office for Civil Rights (OCR) released new guidance materials that should prove helpful for smaller organizations working on a limited budget. The purpose of the new guidance is to help Covered Entities and Business Associates understand the steps involved with responding to a security incident.

Response Checklist

OCR’s checklist is titled ‘My entity just experienced a cyber-attack! What do we do now?’ and briefly touches on several quick-response steps:

  • Execute the response and mitigation procedures and contingency plans
  • Report the crime to applicable law enforcement agencies
  • Report all cyber threat indicators to federal and information-sharing and analysis organizations
  • Report the breach to OCR as soon as possible (but no later than 60 days after discovery of a breach affecting 500 or more individuals)

The accompanying infographic helps to illustrate these steps.

Key Takeaways

Being prepared for a cybersecurity incident and having the response process thought out is a key focus area for our clients. For organizations in the healthcare industry, we have provided foundational templates for building incident response programs. Whether your organization is starting from scratch or just wanted to supplement existing incident response plans, these templates are key resources.

Each of these steps mentioned by the OCR is an important component of an effective incident response plan. You can view our incident response materials through the website in our newsletter. Submit any incident response questions to cyberteam@eplaceinc.com.

Working Party Releases Final GDPR Guidance Materials

The Article 29 Working Party adopted the final versions of several guidance documents related to GDPR compliance. The first versions were initially released last December for comment.

The guidance documents provide organization covered under GDPR with guidelines on the following topics:

  • Data Protection Officers
  • Data Portability
  • Lead Supervisory Authorities

In conjunction with these documents, the Working Party also released their draft guidelines on Data Protection Impact Assessments. The guidance aims to help organizations determine when a data protection impact assessment is required under GDPR. Focus areas include:

  • Scope of a DPIA
  • Processing operations subject to a DPIA
  • Steps to conduct a DPIA
  • Consultation requirements with Supervisory Authorities
  • Further recommendations

OCR Clarifies Healthcare Permitted Uses and Disclosures

When can Healthcare organizations disclose patient information for public health purposes? The Department of Health and Human Services Office for Civil Rights (OCR) issued a guidance document to address that question. The purpose of the OCR guidance is to illustrate what uses and disclosures of patient information for public health reporting, surveillance, and investigations are allowed under HIPAA.

Guidance Details

The guidance document presents several scenarios to give examples of the situations in which healthcare organizations can share and disclose patient information.

Here’s one example of the scenarios presented:

The state’s Department of Health investigates the source of a recent measles outbreak in a local school, and state law authorizes the Department to access medical records to complete the investigations. The Department of Public Health asks all health providers in the state to report confirmed diagnoses of measles, including patient identity, demographic information, and positive test results. Under 45 CFR 164.512(b)(1)(i), providers within the state may use certified health IT to disclose PHI to the Department of Health.

The OCR is hoping to demonstrate how HIPAA supports and facilitates the exchange of health information. Of course, when protected health information is shared for public health purposes, the HIPAA Security Rule requirements still need to be met.

The goal is to encourage these types of disclosures to public health agencies authorized to collect the relevant health information.

Key Takeaway

This guidance shows the OCR’s effort to strike a balance between business and healthcare operations, public health and safety, and patient privacy and security.

The guidance gives healthcare organizations a practical look at these types of disclosures allowed under HIPAA for public health purposes.

Payment Card Industry’s Security Standards Council Releases Important Guidance Information

Many companies struggle to understand and implement all of the requirements under the Payment Card Industry’s Data Security Standards (PCI DSS). In response, the PCI Council has issued a guidance document – Guidance for PCI DSS Scoping and Network Segmentation – to give merchants some practical direction.

The guidance helps companies identify systems and networks that should be included in the scope of PCI DSS analysis. Further, it offers guidance on how network segmentation can effectively reduce the number of systems that fall under the PCI DSS scope.

Key Takeaway

Some key notes from the guidance:

  • Only systems that contain sensitive cardholder information, or are connected to those systems, fall under PCI DSS requirements.
  • By storing less information, companies can minimize PCI DSS compliance efforts.
  • By using network segmentation, companies can reduce the number of systems falling under PCI DSS requirements.

The recommendations in this document can help entities large and small understand the PCI scoping requirements and how to apply network segmentation to reduce your exposure. For any further questions on these topics, feel free to reach out to our vCISO team at cyberteam@eplaceinc.com.

FTC Issues Breach Response Guidance

The Federal Trade Commission released a guidance document highlighting the key steps for businesses to take when responding to a data breach.

We are a big proponent of breach preparedness and incident response planning. The FTC guidance covers the vast scope of these topics with a high-level overview.

What’s in the Guide

The FTC guidance outlines the key steps for companies as they are dealing with a data breach: securing operations, fixing vulnerabilities, and notifying appropriate parties.

As far as notification, the FTC mentions the complexity of the notification matrix. There are 47 different state laws, along with industry regulations, that govern the notification process in the wake of a data breach. The FTC also provides a model breach notification letter for companies to leverage as a template.

The other part of the guidance to consider is the expert support recommended. The two key areas here are outside legal counsel and independent forensic investigators. Privacy attorneys, often referred to as breach coaches, provide a depth of experience in dealing with breach response and can help the process move along smoothly. As mentioned above, the notification process can get tricky very quickly, and having a breach coach on your side can really come in handy.

You can find the full breach response guidance here.

Industry Powerhouse (NIST) Provides Updated Digital Password Best Practices

userIt’s the question we all ask our IT people… what is the best way to create a good password? The National Institute for Standards and Technology (NIST) is trying to help answer that question.

NIST is working to develop new guidelines for password policies to be used throughout the United States government. These guidelines will serve as a solid template for all organizations to use when establishing password management policies.

Password Best Practices

NIST published the draft guidance recently, so what’s new and novel here?

Favor the User. One big takeaway from the NIST guidance is the emphasis on user friendly policies. The theme is shifting towards putting the burden on the verifier. When we make password policies hard to follow, and thus passwords hard to remember, users make poor security decisions – i.e. writing their password on a sticky note next to the computer.

Knowledge-Based Authentication. KBA is no longer a best practice. Actually, it can be counter-intuitive to security. KBA is when the website or account asks you to choose a security question that only you should know the answer to – i.e. What is your mother’s maiden name, what was your high school mascot, etc. The problem with these questions is hackers have ample resources with social media and social engineering techniques to find the answers and hack into your account.

Password Expiration. Expiring passwords are also dropping off the best practice list. This goes along with the favor the user approach. It’s unreasonable to expect your employees to choose long, complex passwords… and then make them change it every three months. The new guidance recommends passwords only be changed or reset if they’re forgotten or compromised.

SMS Authentication. This is a significant change, as many two-factor authentication methods involve sending a code by SMS or text message to go along with the username and password. With attacks against mobile networks – like the SS7 attack we reported here – there are serious problems with the security of SMS messages. NIST recommends no longer using SMS as a part of two-factor authentication.

Password Safety. Another bit of guidance from the NIST publication relates to the way passwords are stored. According to the guidelines, passwords need to be hashed, salted, and stretched. Technical details can be found in the NIST document, but they call for a salt of at least 32 bits, a keyed HMAC hash using SHA-1, SHA-2, or SHA-3, and the stretching algorithm PBKDF2 with at least 10,000 iterations.

Key Takeaway

There are many opinions swirling from security experts about password best practices. But the reality is that when we make it too difficult and put the burden on the user, security suffers. This is proven every year when the most common password list is released and “password” takes the top spot each time. Users favor convenience over security.

When developing or reviewing password policies for your organization, these guidelines can provide a good foundation to work from and help improve the overall security of your workforce. The goal is to make it easy for employees to use good security hygiene.

Is Ransomware a Breach Under HIPAA?

Keyboard equipped with a red ransomware dollar button.

With the dramatic rise in ransomware, there has been much speculation on whether ransomware attacks constitute a reportable breach under HIPAA. The Department of Health and Human Services (HHS) issued guidance to provide clarity on this controversy once and for all. Short answer: yes, it does.

HIPAA Rules

HIPAA defines a breach as “the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule which compromise the security or privacy or the PHI.”

Whether ransomware constitutes a breach under HIPAA is a fact-specific determination. HHS’s guidance states that when a healthcare organization is hit with a ransomware attack and electronic protected health information is encrypted as a result, a breach has occurred.

During a typical ransomware attack on a healthcare organization, ePHI is encrypted when attackers take control of the information. Thus, the ePHI was acquired and results in a disclosure not permitted by the Privacy Rule.

Unless the attacked organization can show a low probability of PHI being compromised, a breach of the information is presumed. This requires organizations to comply with the breach notification rules in HITECH – i.e. notification to affected individuals, HHS, etc.

“Low Probability”

How can an organization show a low probability that PHI was compromised as a result of a ransomware attack? HIPAA relies on a risk assessment of the breach taking into consideration the following four factors:

  • The nature and extent of the PHI involved
  • The unauthorized person who used the PHI or to whom the disclosure was made
  • Whether the PHI was actually acquired or viewed
  • The extent to which the risk to PHI has been mitigated

As far as ransomware goes, victim organizations should note the following in their risk assessment:

  • The exact type and variant of malware discovered
  • The algorithmic steps undertaken by the malware
  • Communications between the malware and the attackers’ command servers
  • Whether or not the malware infected other systems

Identifying these factors should help an organization determine what type of data the malware was searching for, whether or not the data was taken from the organization’s systems, and whether the information was actually acquired or viewed.

Key Takeaway

The important thing to note from this HHS guidance is that for healthcare organizations, a ransomware attack could result in a reportable breach. Many security experts and breach lawyers viewed ransomware attacks in a different light, and not many organizations were reporting these attacks to the HHS.

With the new guidance, we expect to see more breaches reported to the HHS at the end of the year, as well as more breaches hitting the HHS’s Wall of Shame.

With an uptick in the number of reported breaches, it’s also expected that OCR will get more involved with investigations into ransomware attacks. It’ll be interesting to see if any new HIPAA enforcement actions will arise from organizations hit with ransomware.

If your organization suffers a ransomware attack, it’s crucial to get a breach coach involved right away to help navigate the different reporting requirements.

PCI Guide for Small and Medium-Sized Businesses

PCI SSC

Small and medium-sized businesses are getting a helping hand towards PCI compliance. The PCI Security Standards Council released a new resource to help small and medium-sized businesses defend against hackers.

PCI Compliance Issues

Most small and medium-sized businesses have no clue how to comply with the PCI standards. Many rely on their point-of-sale vendors to keep up with cybersecurity.

Often compliance with PCI and implementing EMV is just too expensive. The new chargeback incentives haven’t had the effect on merchant compliance that the industry hoped.

Many small and medium-sized businesses still think data breaches are only a problem for the big guys – the big box store retailers and brand name merchants hitting the headlines after a breach. However, the truth is cybercriminals are targeting smaller merchants.

When cyber criminals compromise a smaller merchant and post the pool of cardholder data for sale, it’s more difficult to determine a common point of purchase than with a larger client. If the merchant doesn’t realize it is common point of purchase, vulnerabilities remain in place opening the door for a later attack.

Easy-to-Use PCI Guide

Taking all of the issues above into account, the PCI Council is trying to address some basic things smaller merchants can do to make the most impact and bolster their security defenses.

The resource they published is a 26-page tutorial – Guide to Safe Payments. The guidance is geared towards helping merchants assess their areas of risk and determine which security improvements will be most effective.

The new resource is NOT a list of requirements. It is guidance with easy-to-understand language and infographs. It describes emerging attacks and the expense level to mitigate the risk of those attacks.

Key Takeaway

The payment card industry as a whole seems to be catching on to the difficulties associated with compliance. Overall, this looks like PCI Council’s best guidance for companies without a dedicated security team.

The general idea is to provide companies with easy, cost-effective ways to bolster their security defenses. If you’ve felt the struggles of complying with the rigid PCI standards, this guide is a friendly place to find some first steps.

NIST Publishes Guide for Application Whitelisting

The National Institute of Standards and Technology published a Guide to Application Whitelisting. Whitelisting is a strategy deployed by the IT department to allow only approved software to run on an enterprise computer system.

While anti-malware and anti-virus software blocks activity it recognizes as malicious, whitelisting only allows good activity and blocks the rest. This prevents employees from downloading programs that have malware or viruses and running them on the company’s systems or networks.

The guidance provides step-by-step instructions for organizations looking to implement whitelisting into their business practices. Larger organizations might see the most benefit from whitelisting as there is more often centralized control over computer devices that are connected to the company’s network.