Top Stories
HAA 2023-006: CSF Version 11.1 Release
The HITRUST CSF v11.1 framework (v11.1) is available within MyCSF and downloadable as of April 4, 2023.
Included in v11.1 are several new and refreshed authoritative sources: 1. Added MARS-E v2.2 mapping and selectable Compliance factor, “MARS-E v2.2” The existing MARS-E Compliance factor, “MARS-E v2.0” will not be selectable as of v11.1. 2. Added IRS Pub. 1075 (Rev. 11-2021) mapping and selectable Compliance factor, “IRS Pub. 1075 (Rev. 11-2021)” The existing “IRS Pub. 1075” Compliance factor, will not be selectable as of v11.1. 3. Refreshed FedRAMP mapping and selectable Compliance factor, “FedRAMP”
HITRUST Now Available in the Microsoft Azure Marketplace - HITRUST Alliance
Jake Zborowski, General Manager, Microsoft Azure Platform at Microsoft Corp., said, “Through Microsoft Azure Marketplace, customers around the world can easily find, buy, and deploy partner solutions they can trust, all certified and optimized to run on Azure. We’re happy to welcome HITRUST solutions to the growing Azure Marketplace ecosystem.”
HHS Office for Civil Rights Announces the Expiration of COVID-19 Public Health Emergency HIPAA Notifications of Enforcement Discretion | HHS.gov
“OCR exercised HIPAA enforcement discretion throughout the COVID-19 public health emergency to support the health care sector and the public in responding to this pandemic,” said Melanie Fontes Rainer, OCR Director. “OCR is continuing to support the use of telehealth after the public health emergency by providing a transition period for health care providers to make any changes to their operations that are needed to provide telehealth in a private and secure manner in compliance with the HIPAA Rules.”
Breaches
Iowa Medicaid Suffers Third-Party Data Breach, 20K Impacted
The Iowa Department of Health and Human Services announced that approximately 20,000 Medicaid members may have had their personal information compromised as a result of a third-party data breach.
Nurses Sue CommonSpirit Hospital Chain Over Unpaid Wages After 2022 Cyberattack - WSJ
A group of nurses in Oregon is suing one of the largest hospital operators in the U.S., alleging they were underpaid after a ransomware attack in October last year.
Security
HHS Emphasizes EHR Cybersecurity Risks to Healthcare Sector
A recent HHS threat brief emphasized the need for healthcare organizations to stay on their toes against emerging cybersecurity risks, ensuring patient health is safe from threat actors.
FDA to medical device manufacturers: ‘Get your house in order’ | SC Media
New medical device submissions must include new FDA cybersecurity requirements by Oct. 1, but manufacturers should act as if these rules are enacted.
Biden Administration Weighs Action Against Russian Cybersecurity Firm - WSJ
The potential action against Kaspersky Lab could become a model for similar action against TikTok or other Chinese-controlled technologies.
Microsoft (& Apple) Patch Tuesday, April 2023 Edition – Krebs on Security
Microsoft today released software updates to plug 100 security holes in its Windows operating systems and other software, including a zero-day vulnerability that is already being used in active attacks. Not to be outdone, Apple has released a set of important updates addressing two zero-day vulnerabilities that are being used to attack iPhones, iPads and Macs.
Privacy
HHS Proposes Measures to Bolster Patient-Provider Confidentiality Around Reproductive Health Care | HHS.gov
Today, the U.S. Department of Health & Human Services (HHS), through its Office for Civil Rights, issued a Notice of Proposed Rulemaking (NPRM) to strengthen Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule protections by prohibiting the use or disclosure of protected health information (PHI) to investigate, or prosecute patients, providers, and others involved in the provision of legal reproductive health care, including abortion care.
Vimeo to pay $2.25M in AI-related biometric privacy lawsuit | SC Media
The settlement will resolve claims that Vimeo collected and stored the biometric data of users who uploaded media into its app.
Bill to strengthen health data privacy passes state legislature | king5.com
If the House concurs on the bill and the Governor signs it into law, it would break new ground on privacy law in Washington.
Europe
MEPs against greenlighting data transfers with the U.S. under current rules | News | European Parliament
In a resolution adopted by Civil Liberties Committee MEPs on Thursday, MEPs argue that the European Commission should not grant the United States an adequacy decision deeming its level of personal data protection essentially equivalent to that of the EU and allowing for transfers of personal data between the EU and U.S.
Misc
Proposed Health IT Certification Rules Target AI, Privacy
Federal regulators have proposed new rules aimed at securing certified healthcare software products, helping patients decide which records to keep private, and protecting data used by AI and predictive tools. The hefty, 556-page Department of Health and Human Services proposed rule seeks to promote innovation and data sharing while tightening security and privacy.