information security
Subscribe to information security's Posts

National Telehealth Takedown Highlights Opportunity for Providers to Enhance Compliance Efforts

The US Department of Justice and the US Department of Health and Human Services Office of Inspector General recently announced a significant healthcare fraud takedown involving $4.5 billion in allegedly false and fraudulent claims involving telehealth. The allegations involved telehealth executives paying healthcare providers to order unnecessary items and services, as well as payments from durable medical equipment companies, laboratories and pharmacies for those orders. While the alleged conduct is not representative of the legitimate and crucial telehealth services offered by the vast majority of healthcare providers, the government’s continued focus on telehealth arrangements, combined with the ongoing expansion of coverage for telehealth services, provides an important opportunity for healthcare providers to evaluate their telehealth service offerings and arrangements and to further enhance their related compliance activities.

In Depth

On September 30, 2020, the US Department of Justice (DOJ) issued a press release describing the largest national healthcare fraud and opioid enforcement action in the DOJ’s history (the Takedown). The Takedown involved coordination with the US Department of Health and Human Services Office of Inspector General (OIG) and other federal and state law enforcement agencies, and resulted in cases against more than 345 defendants in 51 judicial districts. The government charged the defendants with participating in healthcare fraud schemes involving more than $6 billion in alleged losses to federal health care programs, with the vast majority of alleged losses ($4.5 billion) stemming from arrangements involving alleged “telefraud.”

According to the DOJ press release, a recently announced National Rapid Response Strike Force led the initiative focused on telehealth. The National Rapid Response Strike Force is part of the Health Care Fraud Unit of DOJ’s Criminal Division Fraud section, and its mission is to “investigate and prosecute fraud cases involving major health care providers that operate in multiple jurisdictions, including major regional health care providers operating in the Criminal-Division-led Health Care Fraud Strike Forces throughout the United States.”

Background

In recent years, the government has increasingly focused on alleged healthcare fraud schemes involving telehealth services. In connection with the Takedown, OIG issued a fact sheet and graphic highlighting the increase in “telefraud” arrangements leveraging “aggressive marketing and so-called telehealth services.” The individuals charged in the Takedown included telehealth company executives, medical providers, marketers and business owners who allegedly used telemarketing calls, direct mail, and television and internet advertisements to collect information from unsuspecting patients.

Many of the cases involved telehealth executives who allegedly paid healthcare providers to order unnecessary durable medical equipment (DME), genetic and other diagnostic testing, and medications, either without any patient interaction or with only a brief phone call. The government alleged that the arrangements involved kickbacks to telehealth executives after the DME company, laboratory or pharmacy billed Medicare or Medicaid for items and services that the government asserts were often not provided to beneficiaries or were “worthless to patients . . . and delayed their chance to seek appropriate treatment for medical complaints.”

DOJ provided a [...]

Continue Reading




New York’s Cybersecurity Requirements Pose Multi-Year Compliance Challenges

New cybersecurity regulations issued by the NYDFS define the nonpublic information they regulate in exceptionally broad terms. This expanded definition of Nonpublic Information will create major challenges for regulated companies and their third-party service providers that will likely ripple through other ancillary industries.

Continue Reading.




C-Suite – Changing Tack on the Sea of Data Breach?

The country awoke to what seems to be a common occurrence now: another corporation struck by a massive data breach.  This time it was Anthem, the country’s second largest health insurer, in a breach initially estimated to involve eighty million individuals.  Both individuals’ and employees’ personal information is at issue, in a breach instigated by hackers.

Early reports, however, indicated that this breach might be subtly different than those faced by other corporations in recent years.  The difference isn’t in the breach itself, but in the immediate, transparent and proactive actions that the C-Suite took.

Unlike many breaches in recent history, this attack was discovered internally through corporate investigative and management processes already in place.  Further, the C-Suite took an immediate, proactive and transparent stance: just as the investigative process was launching in earnest within the corporation, the C-Suite took steps to fully advise its customers, its regulators and the public at-large, of the breach.

Anthem’s chief executive officer, Joseph Swedish, sent a personal, detailed e-mail to all customers. An identical message appeared in a widely broadcast press statement.  Swedish outlined the magnitude of the breach, and that the Federal Bureau of Investigation and other investigative and regulatory bodies had already been advised and were working in earnest to stem the breach and its fallout.  He advised that each customer or employee with data at risk was being personally and individually notified.  In a humanizing touch, he admitted that the breach involved his own personal data.

What some data privacy and information security advocates noted was different: The proactive internal measures that discovered the breach before outsiders did; the early decision to cooperate with authorities and press, and the involvement of the corporate C-Suite in notifying the individuals at risk and the public at-large.

The rapid and detailed disclosure could indicate a changing attitude among the American corporate leadership.  Regulators have encouraged transparency and cooperation among Corporate America, the public and regulators as part of an effort to stem the tide of cyber-attacks.  As some regulators and information security experts reason, the criminals are cooperating, so we should as well – we are all in this together.

Will the proactive, transparent and cooperative stance make a difference in the aftermath of such a breach?  Only time will tell but we will be certain to watch with interest.




An Update on the Cybersecurity Framework and Action Items for NIST

The National Institute of Standards and Technology (NIST) recently released an update on its Framework for Improving Critical Infrastructure Cybersecurity (The Framework).  The Framework was first issued in February 2014 as a voluntary risk-based program to enable owners and operators of U.S. critical infrastructure to assess and remediate their cybersecurity risks.  For more detail on The Framework, see our previous blog post, “Trendy “Cybersecurity” Versus Traditional “Information Security” Two Sides of the Same Security Coin,” and article, “The Cybersecurity Framework’s Components,” Privacy and Data Protection 2014 Year in Review at 32-34.

Industry Feedback

The NIST update provides a summary of feedback concerning industry’s initial use of the Framework.   NIST reports that many users have found the Framework helpful in improving communication within and across organizations, assessing risks of current practices, and as a tool to demonstrate alignment with standards, best practices and, in some cases, regulatory requirements.

Certain users expressed concerns about the Framework.  Among the critiques offered by industry members are the following:  (1) The Tiers appear to be the least-used part of the Framework, likely because of their enterprise-level scope; (2) Examples are needed to demonstrate practical and applied uses of the Framework; (3) Some of the terminology is confusing and needs clarification; (4) Health care providers, other covered entities and business associates need practical and detailed guidance on moving from a HIPAA compliance-only strategy to a focus on being cyber secure; (5) NIST should advise as to how an organization can integrate cybersecurity into budget planning and master planning; and (6) Global alignment is important to avoid confusion and duplication of effort by other governments.

Regulatory Concerns

Concerns were raised as to whether regulating agencies or Congress will make the Framework mandatory, transforming it from a voluntary mechanism to a compliance requirement.  NIST does not answer industry’s concern that the Framework could become a de facto standard for cybersecurity or may impact legal definitions or enforcement guidelines for cybersecurity.   It merely reports that industry concern was expressed.

NIST Action Items

NIST makes clear that it will not be updating the Framework within the next year.  It stressed that more time is needed for industry to understand and use the current version of the Framework.  Toward that end, it has assigned itself certain action items in response to the industry feedback.  To continue to promote use of the Framework, NIST agrees to complete the following tasks:

  • Increase efforts to raise awareness of the Framework in the same open and collaborative manner (i.e., working with industry, academia and government at multiple levels) in which the Framework was developed;
  • Develop an outreach effort to include small- and medium-sized businesses, state and local governments, and international organizations;
  • Develop and disseminate information and training materials that include actual examples of how organizations can employ the Framework in a practical and meaningful manner;
  • Develop advice on how to integrate cybersecurity risk management with broader enterprise risk management;
  • Explore options for making Framework reference materials available in a common publicly-available [...]

    Continue Reading



Trendy “Cybersecurity” Versus Traditional “Information Security” Two Sides of the Same Security Coin

Cybersecurity has become a dominant topic of the day.  The Snowden revelations, the mega-data breaches of 2013, the pervasiveness of invisible online “tracking” and the proliferation of “ data broker” trading in personal data – all feed into the fears of individuals who struggle to understand how their personal information is collected, used and protected.  Over the past year, these forces have begun to merge an old concern by individuals about the security of their personal information into a broader, more universal fear that the country’s infrastructure lay vulnerable.

In many respects, however, the concept of cybersecurity is not new.  Cybersecurity is a form of information security, albeit perhaps with a broader, more universal view of required security controls.  Decades-old statutes include information security requirements for certain types of information, the Health Insurance Portability and Accountability Act (HIPAA) addresses health information and the Gramm-Leach-Bliley Act (GLBA) addresses financial information.  Add to those statutory regimes the U.S. Federal Trade Commission’s (FTC) enforcement authority over corporate information security practices pursuant to Section 5 of the FTC Act (recently upheld in Federal Trade Comm’n v. Wyndham Worldwide Corp.) and certain state-based data security regulations that require corporations to safeguard personal information (e.g., 201 CMR 17.00, et seq.).  The net effect of these regulatory drivers is that many organizations have focused for decades on developing administrative, physical and technical safeguards for effective protection of personal information – resulting in a programmatic approach to information security.

Now, along comes the evolution of cybersecurity with its own emerging standards.  Organizations are asking themselves whether they need to do something different or in addition to the programmatic steps already taken to comply with information security requirements that are applicable to the organization.  The good news is that while some additional work likely will be required as described below, companies with solid programmatic approaches to information security are well on their way to meeting the following emerging cybersecurity standards.

NIST Cybersecurity Framework

On February 12, 2013, President Obama issued an Executive Order entitled “Improving Critical Infrastructure Cybersecurity.”  The Executive Order has several key components, but most importantly, it contains a requirement for owners and operators of “critical infrastructure” to develop a cybersecurity framework.  The Order directed the National Institute of Standards and Technology (NIST) to develop a baseline cybersecurity framework to reduce cyber risks to critical infrastructure.  NIST subsequently developed its “Framework for Improving Critical Infrastructure Cybersecurity” (Framework), which was released on February 12, 2014.  The goal of these efforts is to provide organizations with a cybersecurity framework as a model for their business.  While at this point, the Framework is intended to provide a voluntary program for owners and operators of critical infrastructure, it is already starting to seep into federal “incentives” used to encourage the private sector to comply with the Framework.  And the Framework itself may evolve into a sort of “security” standard of care.

SEC Cybersecurity and Disclosure Laws

In addition to the Framework, the U.S. Security and Exchange Commission (SEC) recently [...]

Continue Reading




STAY CONNECTED

TOPICS

ARCHIVES

2021 Chambers USA top ranked firm
LEgal 500 EMEA top tier firm 2021