If you get caught using a VPN (Virtual Private Network) in Abu Dhabi, Dubai and the broader of United Arab Emirates (UAE), you could face temporary imprisonment and fines of up to $545,000 (~Dhs2 Million).
Yes, you heard that right.
Online Privacy is one of the biggest challenges in today’s interconnected world. The governments across the world have been found to be using the Internet to track people’s information and conduct mass surveillance.
Here VPNs and proxy servers come into Play.
VPNs and proxy servers are being used by many digital activists and protesters, who are living under the most oppressive regimes, to protect their online activity from prying eyes.
However, using VPN or proxy in the UAE could land you into great difficulty.
The UAE President Sheikh Khalifa bin Zayed Al Nahyan has issued new sovereign laws for combating cyber crimes, which includes a regulation that prohibits anyone, even travelers, in the UAE from using VPNs to secure their web traffic from prying eyes.
According to the laws, anyone using a VPN or proxy server can be imprisoned and fined between $136,000 and $545,000 (Dhs500,000 and Dhs2 Million).
The laws have already been issued by the UAE President and have now been reported to the official government news service WAM.
For those unfamiliar, Virtual Private Network (VPN) securely routes your Internet traffic through a distant connection, protecting your browsing, hiding your location data and accessing restricted resources.
Nowadays, VPNs have become a valuable tool not just for large companies, but also for individuals to dodge content restrictions as well as to counter growing threat of cyber attacks.
The UAE’s top two telecom companies, Etislat and Du, have banned VoIP — the phone calling features in popular apps like WhatsApp, Viber, Facebook Messenger and SnapChat that deliver voice calls over the Internet for free — from within the Gulf nation.
However, soon the vast number of UAE residents who use VPNs and proxies within the UAE for years to bypass the VoIP ban could be in difficulty.
Out of two new laws issued last week, one lays out fines for anyone who uses a VPN or proxy server, local news
. The new law regarding VPNs states:
“Whoever uses a fraudulent computer network protocol address (IP address) by using a false address or a third-party address by any other means for the purpose of committing a crime or preventing its discovery, shall be punished by temporary imprisonment and a fine of no less than Dhs500,000 and not exceeding Dhs2 million, or either of these two penalties.”
The new move is in favor of telecom companies for whom VoIP ‘over-the-top’ apps have long been a major issue, as consumers no longer need to pay international calling rates to speak to their loved ones.
The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) warned healthcare professionals and their business associates of its intention to launch a series of random HIPAA compliance audits throughout 2016. This announcement caused some panic among businesses unsure of their ability to pass a compliance review. Many organizations are unclear as to who’s bound by HIPAA compliance standards and what aspects of their business will be evaluated during an audit.
Any organization that transmits electronic Protected Health Information (ePHI) is required to comply with all HIPAA parameters. These rules work to protect the security and confidentiality of patient data and the failure to adhere to these standards could put a business at risk for both substantial fines and potential lawsuits. Covered entities and their business associates need to understand what’s required to meet HIPAA standards and how their organizations could be affected if a random audit were to occur.
Understanding what is changing and what an audit entails will help ensure if businesses meet HIPAA compliance standards.
What has changed?
Before 2016, the OCR was only investigating non-compliance situations after a complaint, tip, or media report had been filed thus 98% of closed privacy cases were the result of a complaint. The Health Information Technology for Economic and Clinical Health (HITECH) audit act was effective starting in 2010, but the OCR has yet to implement an audit program that will proactively evaluate the compliance status of covered entities and business associates. A 2015 report released by the Office of Inspector General found the OCR’s oversight of HIPAA compliance to be lacking. Now, the OCR plans to strengthen its review efforts by implementing a second phase of audits that was scheduled to occur in 2014, but encountered a number of delays.
In this new round of assessments, providers with fewer than 15 physicians and healthcare business associates will be subject to audits. A business associate is any person or group that generates, stores, receives, or transmits PHI on behalf of the covered entity with which they’re affiliated. A covered entity is any health plan, healthcare clearinghouse, or healthcare provider that electronically transmits PHI.
However, it’s important to note that some states define these roles differently and businesses should check with their legal counsel or state trade association to determine the state’s specific rules. In Texas, for example, covered entities are classified as any organization in possession of PHI, meaning business associates are subject to the same regulations imposed on covered entities. While the odds a practice will be randomly audited are slim, it’s pertinent that an entity with access to PHI be vigilant about consistently evaluating and modifying its HIPAA security and compliance strategy, thus avoiding damages to its bottom line and reputation.
The HIPAA Omnibus Rule
The Final HIPAA Omnibus Rule was established in 2013 to revise previous HIPAA definitions, clarify procedures and policies, and include business associates and their contractors within the HIPAA regulations. While the rule has been in effect for a few years, the OCR’s lax investigation efforts have allowed some businesses to continue operating without adjusting their policies or procedures to meet the Omnibus Rule’s standards. Covered entities should address the following elements of their organization and make any updates to former documents and procedures to ensure they will be adequately covered in case of an audit.
Business associate agreements
All business associate agreements should be revised and updated to include the standards outlined in the HIPAA Omnibus Rule. Whereas before, covered entities shouldered compliance responsibilities, now business associates are equally liable if a data breach or security error occurs on their end. Business associates must sign a Business Associate Agreement before their services are used by a healthcare provider and are subject to the same penalties and fines as a covered entity.
An organization’s employees can be either a risk or an asset to its network and information security. Sufficient training should be held to inform staff of the definitions and procedures changed as a result of the Omnibus Rule. Business associates are required to implement training for their employees and all instruction efforts must be documented.
How to prepare for an audit
For any organization, managing HIPAA compliance can be daunting. A business and its employees should understand what a HIPAA compliance audit entails and what steps should be taken to adhere to HIPAA standards. When an organization is audited, they will be evaluated on aspects like patient privacy requests rights for PHI, individual access to PHI, administrative, technical and physical safeguards, the use and disclosure of PHI, HIPAA Breach Notification Rule policies and changes to PHI.
If an organization is subjected to an audit, it will likely be required to supply a plethora of documents to the OCR. An organization has 10 business days to supply the requested information and if it does not have the proper documentation and procedures in place when the audit occurs, it will likely be unable to supply the necessary information in the allotted time.
Generally, an audit will require an organization to provide records of its compliance efforts dating back several years. If this information is unavailable or nonexistent, the company could incur a number of legal and financial penalties. Businesses bound by HIPAA regulations should hold regular security reviews to assess the ability of the organization and its technology to meet compliance standards. In addition, changes made to suit these regulations should be regularly documented and updated to prove a remediation plan is in effect.
When performing a security review, businesses should ask themselves:
- What written policies and procedures are in place to address HIPAA regulations?
- Is there an established incident response plan to address a breach if it occurs?
- Are regular risk assessments being performed and documented?
- What policies are in place to address data security?
- Are security and use policies for BYOD and mobile devices in effect?
- Are business associates complying with HIPAA standards?
- Is there a regular training program in place to educate both old and new employees about HIPAA compliance regulations?
- Do patients receive a Notice of Privacy Practices and where is this notice available? (on-site, online, etc.)
It’s vital an organization’s security review be held and updated at least annually as businesses often restructure processes or add additional technology to their IT environment. Such changes can leave holes in the organization’s security strategy and render it vulnerable to a data breach.
While much of the HIPAA legislation remains unchanged in 2016, the OCR is bolstering its efforts to monitor and remediate PHI security risks throughout the nation. And as more organizations will be prone to an audit or investigation, it’s important that business understand HIPAA so they can remain compliant and protect their clients.
Taiwan is trying to figure out how hackers managed to trick a network of bank ATMs into spitting out millions. Police said several people wearing masks attacked dozens of ATMs operated by Taiwan’s First Bank on Sunday.
Being the lastest victim of email hacking and then losing rupees 37 lakhs, an international diamond firm owner and a resident of Malabar Hill has complaint to the police for being cheated, the matter has been under police investigations which is probing a Haryana link in the cyber crime. A diamond exporter,Sejal Savera, 40, the owner of Nikhil gems was cheated for 37 lakh rupees after the companies email was hacked and their client based in the United States of America was sent an email stating the company had changed their bank accounts and the deal amounts should now be transferred to a bank in Haryana.
A 38-year-old man, alleged to be a specialist in hacking into the emails of banks and other business institutions to defraud them of various amounts, has been arrested by the police. The suspect, identified as Gadiel Baah Nyumutei, according to the police, hacked into the emails of some business institutions and succeeded in transferring a total of GHc33, 000 and $9,800 into his personal bank account.
Police in Taiwan said on Sunday they had arrested three out of 16 foreign suspects they believe hacked into the cash machines of a major local bank, withdrawing more than US$2 million. A man types on a computer keyboard in Warsaw in this February 28, 2013 illustration file picture.
A 23-year-old former Air India employee has been arrested for allegedly hacking into the airline’s internal system for managing frequent fliers accounts, redeeming miles to convert them into tickets and selling them off to travel agents, police said on Monday. The accused, Anitesh Giri Goswami, is a graduate in Computer Application and has worked for leading airlines, including Air India and now-defunct Kingfisher Airlines.