Healthcare Cybersecurity

Healthcare Organizations Found Not to be In Conformance with NIST CSF and HIPAA Rules

A recent study conducted by the consultancy firm CynergisTek has revealed healthcare organizations are not in conformance with NIST Cybersecurity Framework (CSF) controls and the HIPAA Privacy and Security Rules.

For the study, CynergisTek analyzed the results of assessments at almost 600 healthcare organizations against NIST CSF and the HIPAA Privacy and Security Rules.

The NIST CSF is a voluntary framework, but the standards and best practices help organizations manage cyber risks. Healthcare organizations that are not in conformance with CSF controls face a higher risk of experiencing a cyberattack or data breach. On average, healthcare organizations were only in conformance with 47% of NIST CSF controls. Conformance has only increased by 2% in the past year.

Assisted living organizations had the highest level of conformance with NIST CSF (95%), followed by payers (86%), and accountable care organizations (73%). Business associates of HIPAA covered entities only had an average conformance level of 48%. Physician groups had the lowest level of conformance (36%).

Out of the five core functions of the NIST CSF – Identify, detect, protect, respond, and recover – conformance was lowest for detect.

Even though conformance with the HIPAA Security Rule has been mandatory for the past 14 years, many healthcare organizations were found to be falling short. On average, healthcare organizations were found to be in conformance with 72% of HIPAA Security Rule requirements, which was 2% lower than last year. Critical access hospitals fared the worst with an average of 67% conformance.

Even when organizations were complying with HIPAA Rules, significant security gaps were identified, which clearly demonstrated compliance does not necessarily equate to security.

Compliance with the requirements of the HIPAA Privacy Rule was better, but there is still significant room for improvement. On average, healthcare organizations were complying with 77% of HIPAA Privacy Rule provisions. Many organizations had missing policies and procedures and improper postings. More than 60% of assessments revealed gaps in the maintenance of written policies and procedures related to the use and release of protected health information.

Conformance with the HIPAA Privacy Rule increased year over year for payers and physician groups, but declined for hospitals and health systems, falling from 94% in 2017 to 72% in 2018. CynergisTek explained this fall as most likely being due to higher numbers of assessments being performed on hospitals and health systems in 2018.

CynergisTek also found that insider breaches continue to be a major challenge for healthcare organizations. Insiders were responsible for 28% of healthcare data breaches in 2018 and, on average, those breaches took 255 days to detect. 74% of cases involved employees accessing the health records of household members, 10% involved accessing the records of VIPs that were treated at the hospital. 8% of cases involved accessing the health records of co-workers and 8% involved accessing neighbors’ health records.

Business associates were found to be a major security risk. They were involved in 20% of healthcare data breaches in 2018. CynergisTek found that in many cases, healthcare organizations were not proactively assessing their vendors, even those that are medium to high risk. The most common business associate failures were related to risk assessments, governance, and access management.

The post Healthcare Organizations Found Not to be In Conformance with NIST CSF and HIPAA Rules appeared first on HIPAA Journal.

HHS Slow to Implement GAO Health IT and Cybersecurity Recommendations

The U.S. Department of Health and Human Services has been slow to implement recommendations made by the Government Accountability Office. In total. 392 recommendations have yet to be addressed, including 42 which GAO rated as high priority.

Over the past four years, GAO has made hundreds of recommendations, but the HHS has only addressed 75% of them, 2% less than other government agencies.

The poor implementation rate was outlined in a March 28, 2019 letter from the GAO to HHS secretary Alex Azar.

GAO explained that healthcare is part of the nation’s critical infrastructure and relies heavily on computerized systems and electronic data to function. Those systems are regularly targeted by a diverse range of threat actors, so it is essential they are secured and protected from unauthorized access.

GAO drew attention to four high priority recommendations covering health IT and cybersecurity that are still outstanding.

“The four open priority recommendations within this area outline steps to ensure HHS can effectively monitor the effect of electronic health records programs and progress made toward goals; encourage adoption of important cybersecurity processes and procedures among healthcare entities; protect Medicare beneficiary data accessed by external entities; and ensure progress is made toward the implementation of IT enhancements needed to establish the electronic public health situation awareness network,” wrote GAO in the letter.

GAO explained that in March 2018, it recommended that the administrator of Centers for Medicare and Medicaid Services (CMS) should develop and implement policies and procedures to ensure entities that use claims data should evaluate the performance of Medicare service and equipment providers and ensure they have implemented appropriate security controls.

While CMS has agreed to engage a contractor to review the current data security framework and provide recommendations on specific controls and implementation requirements, GAO notes that CMS must also develop appropriate processes and procedures for implementing those controls.

Three other high priority health IT and cybersecurity recommendations have yet to be implemented.

The HHS has yet to develop performance measures that allow it to assess whether the Meaningful use program (now the Promoting Interoperability Program) is actually improving outcomes and patient safety.

GAO recommended in 2018 that the HHS and the Secretary of Agriculture should collaborate with the Department of Homeland Security and NIST and develop methods for determining the level and type of cybersecurity framework adoption required to improve the critical infrastructure of the healthcare industry. While some work has been completed in this area, GAO wrote that the HHS is still trying to identify applicable methods 12 months on.

GAO also recommended that the HHS should instruct the Assistant Secretary for Preparedness and Response to conduct all IT management and oversight processes when establishing the network and should act under the leadership of the HHS CIO. GAO notes that little has been done to enhance national public health situational awareness network capabilities that would allow officials to view real-time information about emerging health threats.

GAO explained that it is essential for these and other recommendations to be implemented promptly. Further, GAO believes that fully implementing all of its recommendations will significantly improve HHS operations.

The post HHS Slow to Implement GAO Health IT and Cybersecurity Recommendations appeared first on HIPAA Journal.

Data Security Incident Response Analysis Published by BakerHostetler

BakerHostetler has released its fifth annual Data Security Incident Response Report, which contains an analysis of the 750+ data breaches the company helped manage in 2018.

BakerHostetler suggests there has been a collision of data security, privacy, and compliance, and companies have been forced to change the way they respond to security breaches.

In addition to federal and state regulations covering data breaches and notifications, companies in the United States must also comply with global privacy laws such as the EU’s General Data Protection Regulation (GDPR).  All of these different regulations make the breach response a complex process. The definitions of personal information and breach response and reporting requirements differ for GDPR, HIPAA, and across the 50 states. The failure to comply with any of the above-mentioned regulations can lead to severe financial penalties. It is therefore of major importance to be prepared for breaches and be able to respond as soon as a breach is discovered.

This has led many companies to create committees to help manage data breaches, which include stakeholders with expertise in each of the above areas.

Most Common Causes of Data Breaches

An analysis of 2018 incidents shows phishing remains the most common cause of data breaches, accounting for 37% of all incidents managed by the law firm in 2018. The most common type of phishing attack seeks Office 365 credentials. 34% of phishing attacks in 2018 resulted in an Office 365 account being accessed by the attacker.

  1. Phishing Attacks – 37%
  2. Network Intrusions – 30%
  3. Accidental Disclosures – 12%
  4. Lost/stolen devices and records – 10%
  5. System Misconfiguration – 4%

30% of successful phishing attacks saw the attackers peruse the network to find accessible data. 12% of intrusions resulted in the deployment of ransomware, and 8% resulted in a fraudulent wire transfer. In 1% of cases, a successful phishing attack resulted in the deployment of malware other than ransomware.

55% of successful attacks occurred as a result of a mistake by employees, 27% were due to a non-vendor unrelated third party, 11% were due to a vendor, 5% of attacks involved a malicious insider, 3% were due to a non-vendor related third party, and 2% were due to an unrelated third party.

Incident Response, Investigation and Recovery

In 2018, 74% of breaches were discovered internally and 26% were identified by a third-party.

The average time to detect a breach across all industry sectors was 66 days. It took an average of 8 days to contain the breach and 28 days for a forensic investigation to be completed. The average time to issue notifications was 56 days.

Healthcare data breaches took an average of 36 days to discover, 10 days to contain, 32 days to complete a forensic investigation, and 49 days to issue notifications. Healthcare data breaches required an average of 5,751 notification letters to be sent.

There was an increase in investigations by OCR and state Attorneys General in 2018. 34% of breaches resulted in an investigation by an Attorney General and 34% were investigated by OCR. Out of 397 breach notifications issued, 4 lawsuits were filed.

There has been an increase in the use of forensic investigators following a breach. 65% of breaches involved some kind of forensic investigation compared to 41% of incidents in 2017. The average cost of a forensic investigation was $63,001 and $120,732 for network intrusion incidents.

The average ransom payment that was paid was $28,920 and the maximum was $250,000. In 91% of cases, payment of the ransom resulted in the attacker supplying valid keys to decrypt files.

70% of breaches required credit monitoring services to be offered, in most cases due to the exposure of Social Security numbers.

BakerHostetler also notes that following a data breach there is often an increase in access right requests. It is therefore important for companies to have established and scalable access right request processes in place to ensure they can cope with the increase following a security breach.

Interactive Data Breach Notification Map

Healthcare organizations are required to comply with the HIPAA Breach Notification Rule which requires breach notification letters to be issued to affected individuals within 60 days of the discovery of a breach of PHI.

States have also introduced their own breach notification laws, which differ from HIPAA and may, in some cases, require notifications to be issued more rapidly. To help companies find out about the breach notification requirements in each state, BakerHostetler has compiled an interactive data breach notification map.

Using this interactive tool, organizations can find out about the breach reporting requirements in each state. The interactive data breach notification map can be viewed on this link.

The post Data Security Incident Response Analysis Published by BakerHostetler appeared first on HIPAA Journal.

Study Reveals How Well Consumers Feel Health Data is Protected

The results of a study on healthcare cybersecurity from the perspective of consumers has recently been published by cybersecurity firm Morphisec. More than 1,000 consumers were surveyed to obtain their opinions on healthcare cybersecurity, the healthcare threat landscape, how their personal health information is being targeted, and how well they feel their health information is protected.

The transition from paper records to electronic health records has improved efficiency and allows health information to be shared more easily, but vulnerabilities have been introduced that can be exploited by hackers.

Morphisec notes that cyberattacks on the healthcare industry occur at more than double the rate of attacks on other industry sectors. The volume of attacks and frequency that they are reported in the media undoubtedly affects how secure consumers believe their health records are.

Since 2009, more than 190 million healthcare records have been exposed or stolen, which is equivalent to 59% of the population of the United States, yet when consumers were asked if their providers have experienced a data breach, 54% did not know. 40% said no breach had occurred to their knowledge and only 6% said one of their providers has been affected. HIPAA requires notifications to be sent to consumers when their health records are exposed, but it would appear that many consumers feel they are not informed about data breaches.

Consumers Concerned About Privacy and Security of Health Data

When asked who is responsible for protecting health data, 51% of consumers felt it was a joint responsibly between consumers and their providers. Only 29% felt that it was the sole responsibility of their provider to keep health data private and confidential. Only 8% of consumers felt that it was their own responsibility to keep health that has been exchanged with them to be kept private.

As more and more healthcare providers give patients access to their health information through patient portals, and consumers are encouraged to obtain copies of their health data, it is not surprising that so many consumers feel the responsibility for protecting health data is shared. The use of patient portals has increased from 28% to 42% in the past 12 months – an increase of 14%.

55% of consumers feel their health data is more secure when stored by providers. 45% believe that health information stored on personal electronic devices is more secure than data held by their providers. It is unclear whether consumers do not trust their providers to secure data, whether they think a cyberattack on a provider is more likely than an attack on them personally, or if they feel that there is little difference between their own security defenses and those of their providers.

What is clear is consumers believe there are many weak links that need to be addressed, in particular web browser defenses, which almost a quarter of respondents (24.1%) felt was the weakest link in security. A fifth of respondents felt the weak point was endpoint defenses (21%), email phishing defenses (20.9%) or patient portal defenses (20.1%). Only 13.8% felt medical device security was the weakest link.

Healthcare Organizations Only Achieving a Baseline Level of Security

HIPAA requires healthcare organizations to implement security measures to keep protected health information private and confidential. Heavy fines can be issued if a data breach is experienced and providers are discovered to have failed to implement appropriate defenses. HIPAA has certainly helped to improve the standard of security across the healthcare industry as a whole, but many providers have only implemented security defenses to ensure compliance with HIPAA. Once the minimum standard of security has been achieved, the checkbox is ticked, and little is done to further reduce risk.

Through compliance, risk can be reduced, but HIPAA compliance does not mean cyberattacks will not succeed nor that attacks have been made difficult for hackers.

“With nearly 90% of health organization CIOs indicating they purchase cybersecurity software to comply with HIPAA, rather than to reduce threat risk, consumers have a right to be worried about the cyber defenses protecting their health data,” said Tom Bain, VP of Security Strategy at Morphisec. “Merely checking the box that cybersecurity defenses meet HIPAA requirements isn’t enough to protect healthcare organizations today from advanced and zero-day attacks from FIN6 and other sophisticated attackers.”

That sentiment has been echoed by many industry professionals who believe that the threat of financial penalties is stopping healthcare organizations from improving their defenses further. Many just achieve the minimum level of security to comply with HIPAA.

Several stakeholders have suggested a safe harbor should be established for healthcare providers who meet HIPAA security standards to ensure they are immune from financial penalties. With the threat of financial penalties gone, it is felt that healthcare organizations would be more likely to invest more heavily in cybersecurity defenses.

The post Study Reveals How Well Consumers Feel Health Data is Protected appeared first on HIPAA Journal.

Hardin Memorial Health Cyberattack Results in EHR Downtime

Hardin Memorial Health in Kentucky has experienced a cyberattack which caused disruption to its IT systems and EHR downtime.

The cyberattack started on the evening of Friday April 5. A statement issued by a spokesperson for the health system confirmed that IT systems were disrupted as a result of a security breach. Details of the cyberattack have not yet been released so it is unclear whether this was a hacking incident, malware or ransomware attack.

The health system has been working round the clock to restore affected systems and servers. Hardin Memorial Health’s IT team has already brought most IT systems back online and has restored access to its EHR system in some units.

Despite the lack of access to its EHR system, business continued as usual and the hospital did not have to cancel appointments. All 50 of its locations remained open. “At no time during this event has the quality and safety of patient care been affected,” said HMH Vice President and Chief Marketing and Development Officer, Tracee Troutt.

Upon discovery of the security breach, emergency procedures were implemented, and an IT assessment was conducted to determine the nature and extent of the incident. That assessment is ongoing, but most of the issues associated with the attack were resolved within 24 hours.

Extra staff were brought in over the weekend to assist with its remediation efforts and to conduct administrative processes manually until systems could be brought back online.

“A combined team of some 40 internal IT and patient care specialists, complemented by external experts, importantly including our Baptist Health partners, worked over the weekend to resolve issues quickly and is working on the assessment,” said Troutt.

The hospital was well prepared for system downtime. The Hardin Memorial Health IT team regularly tests emergency procedures to make sure they can be implemented quickly and are effective at preventing disruption to patient services. Extra protocols have already been implemented to reinforce system security.

This incident shows that while it may not be possible to prevent all cyberattacks, with tried and tested backup and emergency response plans it is possible to recover from a cyberattack quickly and prevent disruption to patient services.

The post Hardin Memorial Health Cyberattack Results in EHR Downtime appeared first on HIPAA Journal.

Malware Alters CT Scans to Create and Remove Tumors

There is growing concern about hackers gaining access to medical devices and conducting attacks to cause harm to patients. Now malware has been created that can add fake tumors to CT scans.

The malware is not being used in real-world attacks. It has been created by researchers at the Ben Gurion University Cybersecurity Center in Israel to demonstrate just how easy it is to exploit vulnerabilities in medical imaging equipment.

In addition to adding tumors to medical images the malware could be used to remove real tumors. The former could be conducted for political reasons such as preventing a candidate from running for office, the latter would prevent individuals from receiving treatment for a life-threatening illness. The technique could also be used for insurance fraud, sabotaging of medical trials, and cyber terrorism.

Prior to a patient being prescribed radiation therapy or chemotherapy additional tests would be performed and the incorrect diagnosis would be identified, but patients would still be caused considerable emotional distress. The removal of tumors to make the patient appear healthy could have much more serious implications. Treatment could be delayed until a point when it is too late to be effective.

The researchers used a deep learning neural network called a generative adversarial network to alter the CT scans intercepted by the malware.

The attack scenario demonstrated by the researchers would require a man-in-the-middle device to be built and physical access to a hospital. The device could be planted close to the scanner, such as at night when there is less chance of detection. With the device in place it would be possible to intercept CT scans and manipulate them at will.

The researchers created such a device from a Raspberry Pi 3 which was connected to a USB to Ethernet adapter. Both could be purchased for around $40.

The device was loaded with the Raspbian OS and was configured as a network bridge and set up as a WiFi access point. Once connected to the network, the device was capable of intercepting scan data as it was sent to the PAC system. The attacker had full control over scan data and could alter it at will and create or remove any number of tumors while retaining the same anatomy as the original scans.

But how effective is the malware at altering CT scans? Were the alterations good enough to fool trained radiologists?

In tests, 70 images were manipulated. The accuracy of the alterations was such that it was possible to fool three radiologists in 99% of instances where fake tumors were added and 94% of images where real tumors were removed. The altered images fooled AI systems every time.

When the radiologists were made aware that scans had been altered, in a second test using a mix of genuine and doctored images, they were still fooled by 60% of the images that had tumors added and 87% of images where tumors had been removed.

In the tests, the researchers used lung scans and injected fake tumors, but brain tumors could be created or removed just as easily and the system could be used on a wide range of health conditions such as bone fractures, blood clots, or spinal problems.

The alteration of images would be difficult to detect as scans are typically not encrypted nor digitally signed. Healthcare organizations are usually good at implementing robust perimeter controls to prevent attacks from remote threat actors but are less good at protecting internal networks. This eggshell approach to security leaves hospitals vulnerable to attacks conducted inside the facility by malicious insiders.

A video of the simulated attack can be viewed on the following link:


The post Malware Alters CT Scans to Create and Remove Tumors appeared first on HIPAA Journal.

Cross-sector and Bi-partisan Collaboration Critical for Improving Healthcare Organizations

On February 21, 2019, Sen. Mark Warner (D-Va) wrote to several healthcare organizations and federal agencies requesting feedback on how the U.S. government and the healthcare industry can improve cybersecurity.

Sen. Warner is concerned about the number of successful healthcare cyberattacks in recent years, the huge numbers of Americans who are impacted by the attacks, and the cost to the healthcare industry of remediating the attacks. In his letter, Sen. Warner referenced a study conducted by Accenture in 2015 that suggested cyberattacks would cost the healthcare industry more than $305 billion over the next 5 years.

Se. Warner asked healthcare industry stakeholders several well-crafted questions inviting them to share their thoughts on steps that are currently being taken to improve cybersecurity, address vulnerabilities, and respond to attacks. He also sought suggestions on potential strategies for the U.S. government to adopt to improve cybersecurity at a national level.

Many of those contacted have responded to the request, including AdvaMed, the American Hospital Association (AHA), the American Medical Association (AMA), the College of Healthcare Information Management Executives (CHIME), the Healthcare Leadership Council (HLC), HITRUST, and the Virginia Hospital and Healthcare Association (VHHA).

Responses to Sen. Warner’s letter have been collected, amalgamated, and analyzed by the Institute for Critical Infrastructure Technology (ICIT).

ICIT identified several general themes from the responses. A common theme across all responses was the need for meaningful collaboration between public and private sector stakeholders and experts.

“Meaningful collaboration has proven one of the most under-utilized, cost-effective, and impactful strategies organizations can engage to mitigate hyper-evolving cyber threats,” wrote ICIT in its report (PDF).

Meaningful collaboration improves detection and response efforts and helps to prevent pass-through and supply chain attacks. While large healthcare organizations may have the resources to prevent, detect, and mitigate attacks, small healthcare organizations do not and are particularly vulnerable. Through collaboration, not only will smaller healthcare organizations be better protected, it will protect larger organizations against lateral movement from small partner networks.

There is a need for improved cybersecurity education and information sharing, which was highlighted by both the HLC and the AHA. The importance of ISAOs was also highlighted by AdvaMed. ISAOs provide timely cybersecurity information to allow members to be more proactive and prevent cyberattacks and data breaches.

Proactive cybersecurity was also a key theme. Healthcare organizations need to shift from reacting to incidents when they occur to being proactive and preventing data breaches. A lack of a proactive approach means patients suffer, as it is their sensitive data which will be stolen. While proactive cybersecurity naturally comes at a cost, it can be cost-effective as fines, breach remediation costs, and lawsuits can be avoided.

The AHA drew attention to the risks of attacks on legacy systems, which were developed at a time when cybersecurity was not a major consideration. The AHA stressed the importance of the FDA assisting in raising awareness of the threats to legacy systems and how to bolster cybersecurity.

The complexity of healthcare networks is a major concern, especially with the growing use of IoT devices. While many healthcare organizations have secured their servers, desktops, and laptops, management of other devices such as drug infusion pumps, embedded devices, and imaging systems needs to improve. Many healthcare organizations cannot even keep track of all the devices that connect to their networks, let along evaluate the security of each device.

“If health systems are forced to trust a conglomeration of open commercial networks to manage their endpoints, we will continue to have an issue securing our medical devices and other critical systems,” explained CHIME. “Unless we have a separate secure system, where trusted parties are vetted securely, as is done with military or other government networks, our medical devices and other end points will still be at risk.”

The complex nature of HIPAA means many resources need to be committed to compliance, yet only minimal standards for healthcare privacy and security are offered. Complying with HIPAA does not necessarily help prevent data breaches. Healthcare organizations that are HIPAA-compliant also tend to have fewer resources to commit to proactive cybersecurity.

“Instead of focusing on punishing healthcare providers who suffer cybersecurity incidents, and thereby further reducing their resources available to modernize systems or adopt layered security controls, emerging governance should incentivize organizations to learn from their mistakes and share those lessons with other stakeholders,” suggested ICIT.

HITRUST, CHIME, HLC, and the AHA all recommend the creation of a safe harbor for healthcare organizations that demonstrate they are in compliance with security regulations to give them immunity from enforcement actions following data breaches. The safe harbor would incentivize them to implement security controls that they might otherwise forgo. It would likely result in improvements to cybersecurity defenses instead of healthcare organizations opting for the minimal level of protection to ensure compliance.

Sen. Warner’s letter has started an important conversation about healthcare cybersecurity. It is hoped that the points raised and continued cross-sector and bi-partisan collaboration will help to see major improvements made to cybersecurity across the healthcare sector.

The post Cross-sector and Bi-partisan Collaboration Critical for Improving Healthcare Organizations appeared first on HIPAA Journal.

OCR Issues Warning on Advanced Persistent Threats and Zero-Day Exploits

The HHS’ Office for Civil Rights has raised awareness of the risk of advanced persistent threats and zero-day exploits in its spring cybersecurity newsletter.

Healthcare organizations are attractive targets for hackers due to quantity of sensitive data they store. Individual’s protected health information is highly valuable as it can be used for many different purposes, including identity theft, tax fraud, and gaining access to medical services. Sensitive information about medical conditions can also be used to blackmail individuals.

Healthcare organizations also store research data, genetic data, and data from experimental treatments, all of which are of great value cybercriminals. The information can be used by foreign governments to drive innovation.

There are many techniques that hackers use to break through defenses and silently gain access to networks, two of the most serious threats being advanced persistent threats and zero-day exploits.

An advanced persistent threat (APT) is a term used to refer to repeated cyberattacks that attempt to exploit vulnerabilities to gain access to information systems. These attacks are often sophisticated, but even relatively simple attacks are dangerous due to their persistence.

The aim of the attacks is to stealthily gain access to information systems and steal information over a long period of time. “Advanced” comes from the techniques used to access networks and remain undetected, such as the use of malware. “Persistent” refers to the length of time that systems are accessed and information is stolen. Several APT groups have succeeded in gaining access to healthcare IT systems in the United States and have used that access to steal sensitive patient information and propriety healthcare data.

Zero-day exploits – or zero-day attacks – involve the use of previously unknown vulnerabilities to attack organizations. By their very nature, these types of attacks can be difficult to prevent. Since the vulnerabilities are only known to hackers, no patches exist to correct the flaws.

Oftentimes, vulnerabilities are discovered as a result of them being exploited. Patches are promptly released to correct the flaws, but hackers will continue to take advantage of the vulnerabilities until systems are patched. It is therefore essential to apply patches promptly and ensure that all operating systems and software are kept up to date.

Once a zero-day vulnerability is publicly disclosed it doesn’t take long for an exploit to be developed. Oftentimes, exploits for recently discovered vulnerabilities are developed and used in attacks within days of a patch being released.

If patches cannot be applied promptly, such as if extensive testing is required, it is important to implement workarounds or other security controls to prevent the vulnerabilities from being exploited. The use of encryption and access controls can help to ensure that even if access to a network is gained through the exploitation of a vulnerability, damage is minimized.

OCR has warned of the danger of combination attacks involving APTs and zero-day exploits, such as the use of the NSA’s EternalBlue exploit. Within days of the exploit being made available online, it was incorporated into WannaCry ransomware which infected hundreds of thousands of computers around the world. A patch for the vulnerability that EternalBlue exploited was released by Microsoft 2 months before the WannaCry attacks. Organizations that patched promptly were protected against the exploit and WannaCry.

Healthcare organizations and their business associates can Improve their defenses against zero-day exploits and APTs by implementing measures outlined in the HIPAA Security Rule. OCR has draw attention to the following requirements of the Security Rule which can help prevent and mitigate zero-day exploits and APTs:

The post OCR Issues Warning on Advanced Persistent Threats and Zero-Day Exploits appeared first on HIPAA Journal.

Webinar: April 4, 2019: Email Security, DMARC, and Sandboxing

The healthcare industry is particularly vulnerable to phishing attacks and successful attacks commonly result in significant data breaches. It is now something of a rarity for a week to pass without a healthcare phishing attack being reported.

While healthcare organizations are providing security awareness training to staff and are using email security solutions, those defenses are not always effective.

To improve understanding of why advanced attacks are managing to evade detection by traditional email security solutions, email security solution provider TitanHQ is hosting a webinar.

During the webinar TitanHQ will explain about the threat from phishing and how organizations can protect themselves and their customers/patients. The webinar will also explain how two new features of TitanHQ’s SpamTitan email security solution – DMARC authentication and sandboxing – can protect against advanced email threats, zero-day attacks, malware, phishing, and spoofing.

Webinar Details:

Date : Thursday, April 4th, 2019

Time: 12pm EST

Duration: 30 minutes

Sign up to the Webinar here.


This is not a sponsored event.  HIPAA Journal has no business relationship with the event holder.  HIPAA Journal promotes events that might be of interest to its readers. You may submit your event information on our contact page. HIPAA Journal does not accept payment for promoting events.

The post Webinar: April 4, 2019: Email Security, DMARC, and Sandboxing appeared first on HIPAA Journal.