Healthcare Cybersecurity

New Philips iSite and IntelliSpace PACS Vulnerability Identified

Posted by HIPAA Journal

ICS-CERT has issued an advisory about a medium severity vulnerability in Philips iSite and IntelliSpace PACS. The weak password vulnerability is present in all versions of iSite PACS and IntelliSpace PACS. If exploited, the confidentiality, integrity, and availability of a component of the system could be impacted.

The vulnerability is being tracked as CVE-2018-17906 (CWE-521) and concerns the use of default credentials and a lack of authentication within third-party software. The vulnerability would require only a low level of skill to exploit, although the potential for exploitation is limited as an attacker would first need to gain local network access. The vulnerability has been assigned a CVSS v3 base score of 6.3 and was reported to Philips by a user. Philips self-reported the flaw to NCCIC.

To prevent exploitation of the vulnerability, healthcare providers should restrict access to vulnerable iSite and IntelliSpace PACS systems to authorized personnel and follow standard security best practices.

Phillips recommends only running IntelliSpace PACS installations in a managed service environment that conforms to NCCIC recommendations to reduce the risk of exploitation of the vulnerability. Measures that should be implemented include the use of a virtual private network, ensuring Philips iSite and IntelliSpace PACS are not accessible over the Internet, separation of iSite and IntelliSpace PACS from other networks, and to ensure they are protected by a firewall.

Through the managed service environment, Philips offers automated anti-virus protection to continuously scan systems and remediate threats. Phillips also runs a monthly patch program to address known vulnerabilities. Participants in the program will receive an update to address this and future vulnerabilities in a timely fashion.

Philips notes that the iSite 3.6 platform is now at end of life and has reached end of service, so upgrades are strongly recommended.

In October, ICS-CERT issued an advisory over six Philips iSite/IntelliSpace PACS vulnerabilities and a further two vulnerabilities in Philips IntelliSpace cardiovascular vulnerabilities were reported in August. In each case, rapid action was taken to address the vulnerabilities through the Philips’ Secure Development Lifecycle (SDL).

The post New Philips iSite and IntelliSpace PACS Vulnerability Identified appeared first on HIPAA Journal.

Vulnerabilities Identified in Roche Point of Care Handheld Medical Devices

Posted by HIPAA Journal

ICS-CERT has issued an advisory concerning five vulnerabilities that have been identified in Roche Point of Care handheld medical devices. Four vulnerabilities are high risk and one has been rated medium risk.

Successful exploitation of the vulnerabilities could allow an unauthorized individual to gain access to the vulnerable devices, modify system settings to alter device functionality, and execute arbitrary code.

The vulnerabilities affect the following Roche Point of Care handheld medical devices.

  • Accu-Chek Inform II (except Accu-Chek Inform II Base Unit Light and Accu-Chek Inform II Base Unit NEW with Software 04.00.00 or later)
  • CoaguChek Pro II
  • CoaguChek XS Plus & XS Pro
  • Cobas h 232 POC
  • Including the related base units (BU), base unit hubs and handheld base units (HBU).

CVE-2018-18564 is an improper access control vulnerability. An attacker in the adjacent network could execute arbitrary code on the system using a specially crafted message. The vulnerability is rated high severity and has been assigned a CVSS v3 base score of 8.3.

The vulnerability is present in:

  • Accu-Chek Inform II Instrument (Versions prior to 03.06.00 (SN < 14000) and 04.03.00 (SN > 14000))
  • CoaguChek Pro II (Versions prior to 04.03.00)
  • cobas h 232 (Versions prior to 04.00.04 (SN > KQ0400000 or KS0400000))

CVE-2018-18565 is an improper access control vulnerability that would allow an individual that has access to an adjacent network to change the configuration of instrumentation. The vulnerability is rated high severity and has been assigned a CVSS v3 base score of 8.2.

The vulnerability is present in:

  • Accu-Chek Inform II Instrument (Versions prior to 03.06.00 (SN < 14000) and 03.00 (SN >14000))
  • CoaguChek Pro II (Versions prior to 04.03.00)
  • CoaguChek XS Plus (Versions prior to 03.01.06)
  • CoaguChek XS Pro (Versions prior to 03.01.06)
  • Cobas h 232 (Versions prior to 03.01.03 (SN < KQ0400000 or KS0400000))
  • Cobas h 232 (Versions prior to 03.01.03 (SN > KQ0400000 or KS0400000))

CVE-2018-18562 concerns insecure permissions in a service interface that could allow unauthorized users in an adjacent network to execute arbitrary commands on operating systems. The vulnerability is rated high severity and has been assigned a CVSS v3 base score of 8.0.

The vulnerability is present in:

  • Accu-Chek Inform II Base Unit / Base Unit Hub 9 (Versions prior to 03.01.04)
  • CoaguChek / cobas h232 Handheld Base Unit (Versions prior to 03.01.04)

CVE-2018-18563 affects the software update mechanism which could be exploited by an attacker in an adjacent network to overwrite arbitrary files on the system using a specially crafted update package. The vulnerability is rated high severity and has been assigned a CVSS v3 base score of 8.0

The vulnerability is present in:

  • CoaguChek Pro II (Versions prior to 04.03.00)
  • CoaguChek XS Plus (Versions prior to 03.01.06)
  • CoaguChek XS Pro (Versions prior to 03.01.06)
  • Cobas h 232 (Versions prior to 03.01.03 (SN < KQ0400000 or KS0400000))
  • Cobas h 232 (Versions prior to 03.01.03 (SN > KQ0400000 or KS0400000))

CVE-2018-18561 is an improper authentication vulnerability involving the use of weak access credentials. An individual that has access to an adjacent network could gain service access to a vulnerable device through a service interface. The vulnerability is rated medium severity and has been assigned a CVSS v3 base score of 6.5.

The vulnerability is present in:

  • Accu-Chek Inform II Base Unit / Base Unit Hub
  • CoaguChek / Cobas h232 Handheld Base Unit running 03.01.04 and earlier versions

All five vulnerabilities were identified by Niv Yehezkel of Medicate, who disclosed the vulnerabilities to Roche.

Mitigation procedures have been recommended by Roche to reduce the risk of the vulnerabilities being exploited. Software updates to address the vulnerabilities have been scheduled for release in November 2018.

Roche recommends:

  • Restricting network and physical access to the devices and their attached infrastructure through the activation of device security features
  • Protecting vulnerable devices from unauthorized access, theft, and malicious software
  • Monitoring network infrastructure and system activity for suspicious activity.

The post Vulnerabilities Identified in Roche Point of Care Handheld Medical Devices appeared first on HIPAA Journal.

OIG Finds Deficiencies in FDA’s Policies and Procedures to Address Cybersecurity Risk to Postmarket Medical Devices

Posted by HIPAA Journal

The HHS’ Office of Inspector General (OIG) has published the findings of an audit of the FDA’s policies and procedures for addressing medical device cybersecurity in the postmarket phase and has identified several deficiencies.

Ensuring the safety, security, and effectiveness of medical devices is a key management challenge for the Department of Health and Human Services. It is the responsibility of the U.S. Food and Drug Administration (FDA) to ensure all medical devices that come to market are secure and incorporate cybersecurity protections to prevent cyberattacks that could alter the functionality of the devices which could cause harm to patients.

The FDA has developed policies and procedures to ensure that cybersecurity protections are reviewed before medical devices come to market and the agency has plans and processes for addressing medical device issues, such as cybersecurity incidents, in the postmarket stage. However, OIG determined that those plans and practices are insufficient in several areas.

One area of weakness concerns how the FDA handles postmarket medical device cybersecurity events, including recalls of medical devices that contain vulnerabilities that could be exploited by hackers to gain access to the devices to alter functionality, steal patient data, or use the devices for attacks on healthcare networks. Written standard operating procedures for device recalls had not been established in two of the 19 FDA district offices under review.

While plans and procedures for dealing with cybersecurity events have been developed by the FDA, the agency’s ability to respond to cybersecurity incidents had not been adequately tested, according to OIG.

OIG noted in its report that as a result of the failure of the FDA to assess risks from medical device security events and ineffective approaches to responding to events, the FDA’s efforts to address medical device vulnerabilities were susceptible to “inefficiencies, unintentional delays, and potentially insufficient analysis.”

Even though deficiencies were identified, OIG said “We did not identify evidence that FDA mismanaged or responded untimely to a reported medical device cybersecurity event.”

OIG recommended that the FDA:

  • Continually assesses cybersecurity risks to medical devices and updates its plans and strategies accordingly
  • Establish written procedures for securely sharing sensitive information about cybersecurity events with appropriate stakeholders
  • Enter into a formal agreement with the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team to establish roles and responsibilities
  • Ensure policies and procedures are established and maintained covering the recall of medical devices vulnerable to cybersecurity threats.

The FDA has been proactively addressing the issue of medical device cybersecurity; however, at the time of OIG’s fieldwork in the spring of 2017, the FDA had not yet properly addressed the emerging issue of medical device cybersecurity.

OIG notes that prior to issuing the draft report of the findings of the audit, the preliminary findings were shared with the FDA. By the time that the draft report was issued, the FDA had already addressed some of OIG’s recommendations.

The FDA concurred with all of OIG’s recommendations; however, the FDA did not agree with OIG’s suggestion that it had failed to assess medical service security at an enterprise or component level and neither that its policies and procedures were inadequate.  The FDA also said that the OIG report provided an incomplete and inaccurate picture of its oversight of postmarket medical device cybersecurity.

The post OIG Finds Deficiencies in FDA’s Policies and Procedures to Address Cybersecurity Risk to Postmarket Medical Devices appeared first on HIPAA Journal.

Q3 Healthcare Data Breach Report: 4.39 Million Records Exposed in 117 Breaches

Posted by HIPAA Journal

The latest installment of the Breach Barometer Report from Protenus shows there was a quarterly fall in the number of healthcare data breaches compared to Q2, 2018; however, the number of healthcare records exposed, stolen, or impermissibly disclosed increased in Q3.

In each quarter of 2018, the number of healthcare records exposed in data breaches has risen. Between January and March 1,129,744 healthcare records were exposed in 110 breaches. Between April and June, 3,143,642 records were exposed in 142 breaches, and 4,390,512 healthcare records were exposed, stolen, or impermissibly disclosed between July and September in 117 breaches.

The largest healthcare data breach in Q3 was reported by the Iowa Health System UnityPoint Health. The breach was due to a phishing attack that saw multiple email accounts compromised. Those accounts contained the protected health information of more than 1.4 million patients. That breach was the second phishing attack experienced by UnityPoint Health. An earlier phishing attack resulted in the exposure of 16,400 healthcare records.

In Q3, hacking was the leading cause of healthcare data breaches. 51% of the 117 breaches were due to hacking and those incidents accounted for 83% of all exposed records in the quarter. Hacking incidents and the number of records exposed through hacking both increased in Q3.

23% of data breaches in Q3 (27 breaches) were due to insider wrongdoing or insider error, resulting in the theft/exposure/disclosure of 680,117 health records – 15% of the records exposed in Q3. Insider wrongdoing includes theft of data by employee, snooping on medical records, and other incidents where insiders violated HIPAA Rules.

19 breaches were caused by insider error – mistakes made by healthcare employees that resulted in the exposure or impermissible disclosure of healthcare records. Insider errors resulted in the exposure/disclosure of 389,428 patient records. There were 8 incidents involving insider wrongdoing.

Protenus has drawn attention to the significant increase in records exposed/stolen through insider wrongdoing. In Q1, 4,597 patients were affected by insider wrongdoing, the number increased to 70,562 in Q2, and 290,689 patients were affected by insider wrongdoing incidents in Q3.

There were 22 breaches reported in Q3 that involved paper records (19% of the total). Those incidents saw 344,729 healthcare records exposed.

Healthcare providers disclosed 86 breaches in Q3, 13 health plans reported breaches, and a further 13 breaches were reported by business associates. 5 breaches were reported by other entities. 27 incidents – 23% of the total – had some business associate involvement.

On average, it took 402 days to discover data breaches. The median time to detect a breach was 51 days. One healthcare provider took 15 years to discover an employee had been accessing healthcare records without authorization. Over that time frame, the employee had viewed the records of 4,686 patients without any work reason for doing so. The average time to report breaches was 71 days and the median time was 57.5 days.

The states worst affected by healthcare data breaches in Q3 were Florida with 11 incidents, followed by California with 10, and Texas with 9 incidents.

The post Q3 Healthcare Data Breach Report: 4.39 Million Records Exposed in 117 Breaches appeared first on HIPAA Journal.

Fewer Than One Third of Healthcare Organizations Have a Comprehensive Cybersecurity Program

Posted by HIPAA Journal

An alarming number of healthcare organizations do not have comprehensive cybersecurity programs in place, according to the recently published 2018 CHIME Healthcare’s Most Wired survey.

The annual CHIME survey explores the extent to which healthcare organizations have adopted health information technology and draws attention to those that are ‘Most Wired’ and have the broadest, deepest IT infrastructure.

This year’s report highlights gaps in foundational technologies and strategies for security and disaster recovery. “Before provider organizations can achieve outcomes with their strategies for population health management, value-based care, patient engagement, and telehealth, they must first ensure that foundational pieces such as integration, interoperability, security, and disaster recovery are in place,” explained CHIME.

The attack surface has grown considerably in recent years due to increased adoption of networked medical devices and IoT technology. Threats to the privacy of sensitive information and security of systems and devices have grown and security is now a major challenge.

To address cybersecurity threats, many healthcare organizations have invested heavily in IT solutions and new technologies to secure their systems and data. A growing number of healthcare organizations have now adopted cybersecurity frameworks such as those developed by NIST and HITRUST, rather than relying on their own self-developed frameworks.

A comprehensive cybersecurity framework is an important component of any cybersecurity program, although CHIME has identified six other core building blocks of security that should be incorporated into healthcare security programs. These are:

  • Appointing a dedicated Chief Information Security Officer (CISO)
  • Progress tracking
  • Reporting of security deficiencies
  • Creating a governance committee dedicated to cybersecurity
  • Conducting security board meetings at least annually
  • Ensuring board-level oversight of cybersecurity

Appointing a dedicated CISO to oversee security and reporting security updates and progress toward security goals to an executive committee are important first steps to mitigate vulnerabilities, yet these foundational elements are still being developed by many healthcare organizations. Only 29% of healthcare organizations that took part in the survey said they had a comprehensive cybersecurity program in place that covered all of the above requirements.

Healthcare organizations were most likely to report security deficiencies (95%) and security progress (94%) to the board, but only 90% had a dedicated CISO. Only 79% had a dedicated cybersecurity committee, and just 34% had a board-level committee providing oversight of the security program.

Virtually all healthcare organizations that took part in the study had implemented firewalls and authentication controls and securely disposed of devices containing ePHI, but many other important safeguards were lacking. For instance, 10% of organizations lacked mobile device management solutions, 12% did not have unique user identifications or physical device locks, 14% did not use encryption on removable storage devices, and 18% were not yet encrypting data backups.

No man is an island, and the same is true of healthcare organizations. Accessing and sharing knowledge, best practices, and threat information is an important part of any cybersecurity program. While most healthcare organizations used at least one information sharing and analysis organization (ISAO), fewer than a third communicated with formal groups such as the Cyber Information Sharing and Collaboration Program (CISCP), National Cybersecurity & Communication Integration Center (NCCIC), or the Health Cybersecurity & Communication Integration Center (HCCIC).

The survey also assessed healthcare organizations’ ability to recover from disasters. Only 68% of organizations said they were confident that if an event wiped out their primary data center they would be able to restore clinical, financial, supply chain management, HR, and staffing systems within 24 hours.

CHIME identified ten critical elements of a comprehensive incident response plan:

  • Documented EHR outage procedures
  • Security/privacy breach notification procedures
  • Tabletop exercises conducted at least annually
  • Disaster recovery plans linked to business continuity
  • Marketing & communications team included in planning and exercises
  • HR team involvement in planning and exercises
  • Other members of the organization involved in planning and exercises
  • Resource management team involvement in planning and exercises
  • Legal team involvement in planning and exercises
  • Enterprise-wide exercises held at least annually

Only 26% of healthcare organizations had all ten elements, 43% had between 7 and 9 in their disaster response programs, and 31% had fewer than 7. Most organizations said they used a data repository to back up data and most used off-site data storage for backups.

While it is certainly encouraging that improvements are being made, there is still considerable room for improvement to bring cybersecurity programs up to the necessary standard.

The post Fewer Than One Third of Healthcare Organizations Have a Comprehensive Cybersecurity Program appeared first on HIPAA Journal.

Healthcare Organizations Account for a Quarter of SamSam Ransomware Attacks

Posted by HIPAA Journal

The threat actors behind SamSam ransomware have been highly active this year and most of the attacks have been conducted in the United States. Out of the 67 organizations that the group is known to have attacked, 56 were on organizations based in the United States, according to a recent analysis by cybersecurity firm Symantec.

The attacks have been conducted on a wide range of businesses and organizations, although the healthcare industry has been extensively targeted. Healthcare organizations account for 24% of the group’s ransomware attacks.

It is unclear why healthcare organizations are account for so many attacks. Symantec suggests that it could be due to healthcare organizations being easier to attack than other potential targets, or that there is a perception that healthcare providers are more likely to pay the ransom as they are reliant on access to patient data to operate.

In contrast to most ransomware attacks, the threat actors behind SamSam ransomware do not conduct random campaigns via email with the intention of infecting as many organizations as possible. SamSam ransomware attacks are highly targeted and conducted manually without any involvement from end users.

Access is gained to a healthcare network, the attackers move laterally, and the ransomware is manually deployed on as many devices as possible. When multiple devices have been compromised, the encryption routine is triggered on all infected devices simultaneously. This method ensures maximum disruption is caused, and with large numbers of devices taken out of action through file encryption, large ransoms can be demanded – typically of the order of around $50,000.

To gain access to networks the threat actors perform scans to identify organizations with open remote desktop protocol (RDP) connections. RDP backdoors can also be purchased on darknet forums, which may also be used to gain access to healthcare organizations’ networks.

Symantec points out that considerable work goes into each campaign. Once the perimeter has been breached, it can take several days for the threat actors to map the organization’s network and stealthily deploy their ransomware. The threat actors use off-the-shelf administration and pen testing tools – PsExec for instance – to allow them to move through the network without being identified. The Mimikatz hacking tool is also used to obtain passwords to infect further devices.

To reduce risk, healthcare organizations need to take steps to make it harder for the attackers to breach the perimeter, implement cybersecurity solutions to detect network intrusions and identify suspicious activity, and also ensure that backups are regularly made with copies of backed up files stored offline.

Good password policies are important to prevent brute force attacks. Strong unique passwords should be used and all default passwords must be changed. Rate limiting should also be applied to thwart brute force attacks and reports of suspicious login attempts should be automatically generated to alert security teams to a possible attack in progress.  Access to public-facing ports should be restricted and multi-factor authentication should be applied on all applications. It is also strongly advisable to severely restrict the use of admin credentials.

The post Healthcare Organizations Account for a Quarter of SamSam Ransomware Attacks appeared first on HIPAA Journal.

Ransomware Attacks Increase: Healthcare Industry Most Heavily Targeted

Posted by HIPAA Journal

Ransomware attacks are on the rise once again and healthcare is the most targeted industry, according to the recently published Beazley’s Q3 Breach Insights Report.

37% of ransomware attacks managed by Beazley Breach Response (BBR) Services affected healthcare organizations – more than three times the number of attacks as the second most targeted industry: Professional services (11%).

Kaspersky Lab, McAfee, and Malwarebytes have all released reports in 2018 that suggest ransomware attacks are in decline; however, Beazley’s figures show monthly increases in attacks in August and September, with twice the number of attacks in September compared to the previous month. It is too early to tell if this is just a blip or if attacks will continue to rise.

The report highlights a growing trend in cyberattacks involving multiple malware variants. One example of which was a campaign over the summer that saw the Emotet banking Trojan downloaded as the primary payload with a secondary payload of ransomware.

Emotet is used to steal bank credentials and has the capability to download further malicious payloads. Once credentials have been obtained, a ransomware payload is downloaded and executed. This twofer strategy has been adopted by several threat groups. The ransom demands can be considerable. One group demanded a $2.8 million ransom after an extensive infection that included the encryption of backups.

Beazley cites research conducted by Kivu Consulting that shows there has been an increase in the use of rough and ready ransomware variants that use powerful encryption to lock files yet lack the functionality to allow the full decryption of data. These attacks can see files remain locked even if a ransom is paid or the encryption/decryption process can result in file corruption and significant data loss.

These attacks show how critical it is for organizations to perform regular backups and to test those backups to ensure that file recovery is possible. Healthcare organizations should consider a 3.2.1 approach to backing up: Create three backup copies, on at least two different media, with one copy stored securely offsite.

It stands to reason that large organizations are an attractive target for cybercriminals. Large numbers of encrypted devices mean higher ransom demands can be issued. Large organizations are also more likely to have funds available to pay large ransoms, although they also have more resources to devote to cybersecurity.

Attacks on small to medium sized businesses are typically easier and this is reflected in Beazley’s figures. Out of the ransomware attacks that the BBR Services team have handled, 71% of victims were small to medium sized businesses.

The Breach Insights report shows that in contrast to most industry sectors, accidental disclosures are the leading type of breach in the healthcare industry and accounting for 32% of all data breaches in Q3, closely followed by hacks/malware incidents on 30%. Beazley notes that healthcare hacking/malware incidents have increased from 20% to 30% in 2018. 17% of breaches were caused by insiders, 9% involved the loss of physical records, and 6% involved the loss of portable electronic devices.

The post Ransomware Attacks Increase: Healthcare Industry Most Heavily Targeted appeared first on HIPAA Journal.

HHS Officially Opens its New Health Sector Cybersecurity Coordination Center

Posted by HIPAA Journal

The U.S. Department of Health and Human Services (HHS) has officially opened its Health Sector Cybersecurity Coordination Center (HC3).

HC3, located in the Hubert H. Humphrey building at HHS headquarters in Washington D.C., was officially opened on October 29, 2018 by Deputy Secretary of the HHS, Eric Hargan.

HC3’s mission is to strengthen coordination and improve information sharing within the healthcare industry. HC3 will work closely with healthcare industry stakeholders, including practitioners, organizations, and cybersecurity information sharing organizations, to gain an understanding of current threats, patterns and attack trends. Information about current and emerging threats will be shared with healthcare organizations together with details of actions that can be taken to protect healthcare systems, medical devices and patient data.

The Department of Homeland Security (DHS) is the primary agency for dealing with cyber threats in the United States and is responsible for developing strategies to combat those threats. HC3 will work closely with DHS but will be solely focused on providing support to the healthcare sector to increase cyber resilience, strengthen coordination, and improve information sharing to help healthcare organizations take preventative steps to protect their assets and prevent patients from coming to harm.

Action certainly needs to be taken to improve healthcare cyber defenses. The healthcare industry is being extensively targeted by cybercriminals looking to steal sensitive patient data, sabotage systems, damage medical equipment, and encrypt files for financial gain. In the past year alone there have been more than 400 major data breaches reported by healthcare organizations.

Rapid identification of threats and the provision of timely, accurate, and actionable intelligence is critical to the prevention of cyberattacks. “We believe that when a risk is shared across sectors, the only way to manage that risk successfully is to manage it collectively,” explained Jeanette Manfra, Assistant Secretary for Cybersecurity and Communications in DHS. “We know that the majority of the cybersecurity attacks that occurred over the past year could have been prevented with quality and timely information – and the heightened importance of sharing information cannot be stressed enough.”

The post HHS Officially Opens its New Health Sector Cybersecurity Coordination Center appeared first on HIPAA Journal.

Important Cybersecurity Best Practices for Healthcare Organizations

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has drawn attention to basic cybersecurity safeguards that can be adopted by healthcare organizations to improve cyber resilience and reduce the impact of attempted cyberattacks.

The advice comes at the end of cybersecurity awareness month – a four-week coordinated effort between government and industry organizations to raise awareness of the importance of cybersecurity.

While all organizations need to implement policies, procedures, and technical solutions to make it harder for hackers to gain access to their systems and data, this is especially important in the healthcare industry. Hackers are actively targeting healthcare organizations as they store large quantities of highly sensitive and valuable data.

Healthcare organization need to ensure that their systems are well protected against cyberattacks, which means investing in technologies to secure the network perimeter, detect intrusions, and block malware and phishing threats. Large healthcare organizations have the resources to invest heavily in cybersecurity solutions, although many smaller HIPAA-covered entities and business associates may struggle to find the necessary funds to devote to cybersecurity.

OCR has reminded HIPAA-covered entities that there are several basic cybersecurity safeguards that can be implemented to improve cyber resilience which only require a relatively small financial investment, yet they can have a major impact on an organization’s cybersecurity posture.

Recommended Cybersecurity Best Practices for Healthcare Organizations

OCR has drawn attention to four cybersecurity safeguards that can significantly reduce the impact of attempted cyberattacks and are also important for HIPAA Security Rule compliance.

Data Encryption

Encryption may only be an addressable implementation specification of the HIPAA Security Rule, but it is one of the most effective cybersecurity safeguards to ensure the confidentiality, integrity, and availability of ePHI. Encryption is the conversion of data to a secure, encrypted form. If correctly applied, data are unintelligible and can only be transformed back to a readable form with a decryption key. Any healthcare organization that has experienced a ransomware attack will be aware of how effective encryption is at preventing data access.

HIPAA-covered entities should assess whether encryption is an appropriate safeguard to implement for data at rest and in motion based on the results of a risk analysis.

Social Engineering Awareness

As the OCR Breach portal shows, email hacking incidents are a common cause of healthcare data breaches. Hackers often use phishing to trick healthcare employees into revealing their email credentials. Phishing is one of the most common and most effective social engineering tactics used by hackers to gain access to ePHI.

Spam filters and other email gateway cybersecurity solutions can reduce the volume of phishing emails that are delivered to mailboxes, but no solution will be able to prevent all phishing emails from being delivered. It is therefore essential for all healthcare employees to be trained how to identify social engineering attacks. Security awareness training can greatly reduce susceptibility to phishing attacks. Regular security awareness training sessions are also a required element of HIPAA Security Rule compliance.

Audit Logs

HIPAA-covered entities are required to create and monitor audit logs. Audit logs contain a record of events related to specific systems, devices, and software. By reviewing audit logs regularly, security teams can identify attempts by unauthorized individuals to gain access to ePHI before they result in a data breach. Audit logs can also be used to reconstruct past events and identify historic data breaches that would otherwise go undetected.

Correct Configuration of Software and Network Devices

Network devices, software, and cloud-based solutions may incorporate all the necessary security controls to prevent unauthorized access, but if the security controls are not correctly configured hackers have an easy entry point into a healthcare network.

Misconfigured S3 buckets, deactivated firewalls, out of date software, and missed patches often lead to healthcare data breaches, and misconfigured audit logs may not record information to allow suspicious activity to be detected. Steps should be taken to ensure that all systems, software, and devices are correctly configured, and regular security audits should be conducted to identify potential vulnerabilities.

The post Important Cybersecurity Best Practices for Healthcare Organizations appeared first on HIPAA Journal.