Healthcare Cybersecurity

May 2018 Healthcare Data Breach Report

Posted by HIPAA Journal

April was a particularly bad month for healthcare data breaches with 41 reported incidents. While it is certainly good news that there has been a month-over-month reduction in healthcare data breaches, the severity of some of the breaches reported last month puts May on a par with April.

Healthcare Data Breaches (May 2018)

There were 29 healthcare data breaches reported by healthcare providers, health plans, and business associates of covered entities in May – a 29.27% month-over month reduction in reported breaches. However, 838,587 healthcare records were exposed or stolen in those incidents – only 56,287 records fewer than the 41 incidents in April.

Healthcare Data Breaches - Records (May 2018)

In May, the mean breach size was 28,917 records and the median was 2,793 records. In April the mean breach size was 21,826 records and the median was 2,553 records.

Causes of May 2018 Healthcare Data Breaches

Unauthorized access/disclosure incidents were the most numerous type of breach in May 2018 with 15 reported incidents (51.72%). There were 12 hacking/IT incidents reported (41.38%) and two theft incidents (6.9%). There were no lost unencrypted electronic devices reported in May and no improper disposal incidents.

The 12 hacking/IT incidents reported in May resulted in the exposure/theft of 738,883 healthcare records – 88.11% of the total for May. Unauthorized access/disclosure incidents affected 97,439 patients and health plan members – 11.62% of the total. Theft incidents resulted in unauthorized individuals obtaining the PHI of 2,265 individuals – 0.27% of the monthly total.

Causes of Healthcare Data Breaches (May 2018)

Largest Healthcare Data Breaches Reported in May 2018

The largest healthcare data breach reported in May 2018 – by some distance – was the 538,127-record breach at the Baltimore, MD-based healthcare provider LifeBridge Health Inc. The breach was reported in May, although it occurred more than a year and a half earlier in September 2016, when malware was installed on its server that hosts electronic health records.

In addition to names and contact information, clinical and treatment information, insurance information, and, in some instances, Social Security numbers, were compromised. The scale of the breach and the types of information exposed makes it one of the most serious healthcare data breaches discovered in 2018.

As the table below shows, hacks and IT incidents were behind the most serious breaches in May.

Breached Entity Entity Type Records Breached Breach Type
LifeBridge Health, Inc Healthcare Provider 538127 Hacking/IT Incident
The Oregon Clinic, P.C. Healthcare Provider 64487 Hacking/IT Incident
Dignity Health Healthcare Provider 55947 Unauthorized Access/Disclosure
Aultman Hospital Healthcare Provider 42625 Hacking/IT Incident
Holland Eye Surgery and Laser Center Healthcare Provider 42200 Hacking/IT Incident
USACS Management Group, Ltd. Business Associate 15552 Hacking/IT Incident
Florida Hospital Healthcare Provider 12724 Hacking/IT Incident
Aflac Health Plan 10396 Hacking/IT Incident
Cerebral Palsy Research Foundation of Kansas, Inc. Healthcare Provider 8300 Unauthorized Access/Disclosure
Associates in Psychiatry and Psychology Healthcare Provider 6546 Hacking/IT Incident

 

Records Exposed in Healthcare Data Breaches (May 2018)

Location of Breached Protected Health Information

In May, the most common location of breached protected health information was email. 11 of the 29 reported breaches involved hacks of email accounts and misdirected emails. It was a similar story in April, when email was also the main location of breached PHI.

In May there were 7 incidents affecting network servers – hacks, malware infections, and ransomware incidents – and 7 incidents involving paper records.

Healthcare Data Breaches (May 2018) - Location of Breached PHI

Data Breaches by Covered Entity Type

Healthcare providers experienced the lion’s share of the healthcare data breaches in May 2018, with 22 incidents reported. Only two health plans suffered a data breach in May.

Five business associates of HIPAA-covered entities reported a breach, although a further four breaches had some business associate involvement.

Healthcare Data Breaches (May 2018) - Breaches by Covered Entity Type

Healthcare Data Breaches by State

California and Ohio were the worst affected by healthcare data breaches in May 2018, with each state having four breaches. Oregon and Texas each experienced two data breaches in May. Nevada saw four breaches reported, but three of those were the same incident, only reported separately by each of the three Dignity Health hospitals affected.

One healthcare data breach was reported by a HIPAA-covered entity or business associate based in Arkansas, Arizona, Colorado, Florida, Georgia, Indiana, Kansas, Massachusetts, Maryland, Michigan, Minnesota, Nebraska, and New York.

Financial Penalties for HIPAA Violations

While OCR and state attorneys general continue to enforce HIPAA Rules and take action against covered entities and business associates for noncompliance, there were no financial settlements announced by either in May 2018.

Data Source: The Department of Health and Human Services’ Office for Civil Rights.

The post May 2018 Healthcare Data Breach Report appeared first on HIPAA Journal.

Advisory Issued About Vulnerabilities in Siemens RAPIDLab and RAPIDPoint Blood Gas Analyzers

Posted by HIPAA Journal

Siemens has proactively issued an advisory over two recently discovered vulnerabilities in its RAPIDLab and RAPIDPoint Blood Gas Analyzers.

No reports have been received to data to suggest either vulnerability has been exploited in the wild, although users of the devices are being encouraged to take steps to mitigate risk.

The vulnerabilities affect Siemens RAPIDLab 1200 Series and RAPIDPoint 400/405/500 cartridge-based blood-gas, electrolyte, and metabolite analyzers.

CVE-2018-4845 would allow local or remote credentialed access to the Remote View feature. Successful exploitation of the vulnerability could result in privilege escalation that could potentially compromise the confidentiality, integrity, and availability of the system. No user interaction would be required to exploit the vulnerability. The vulnerability has been assigned a CVSS v3.0 score of 8.8.

CVE-2018-4846 relates to a factory account with a hardcoded password which could potentially be exploited to gain remote access to the device over port 8900/tcp, thus compromising the confidentiality, integrity, and availability of the device. Exploitation would require no privileges or user interaction. The vulnerability has been assigned a CVSS v3.0 score of 7.3. No special skills would be required to exploit either vulnerability.

No patch has been issued to correct the flaws at present, although Siemens has identified workarounds and mitigations that will reduce the risk of the vulnerabilities being exploited, as detailed in the table below:

Affected Product and Versions Remediation
RAPIDLab 1200 systems / RAPIDPoint 400 systems / RAPIDPoint 500 systems:

All versions without use of Siemens Healthineers Informatics products

 ·         Restrict physical access to only authorized individuals to limit exposure to CVE-2018- 4845.

·         Disable Remote Viewing feature by following the instructions in the “Enabling or Disabling Remote Viewing” section of the analyzer Operator’s Guide to limit exposure to CVE-2018-4845 and mitigate CVE-2018- 4846.
RAPIDLab 1200 Series:

All versions < V3.3 with Siemens Healthineers Informatics products

 ·         Restrict physical access to only authorized individuals to limit exposure to CVE-2018- 4845.

·         Upgrade to V3.3 or 3.3.1. Please contact your Siemens Healthineers service desk for more information.

·         Change the password according to the release notes, or contact the service department.

·         To ensure seamless and secure connectivity with the RAPIDComm® Data Management System, RAPIDComm® V7.0 or higher is recommended.
RAPIDPoint 500 systems:

All versions >= V3.0 with Siemens Healthineers Informatics products

 ·         Restrict physical access to only authorized individuals to limit exposure to CVE-2018- 4845.

·         Change the password according to the release notes or contact the service department.

·         To ensure seamless and secure connectivity with RAPIDComm, RAPIDComm V7.0 or higher is recommended.
RAPIDPoint 500 systems:

V2.4.X with Siemens Healthineers Informatics products

 ·         Restrict physical access to only authorized individuals to limit exposure to CVE-2018- 4845.

·         Upgrade to and follow instructions provided for V3.0.
RAPIDPoint 500 systems:

All versions =< V2.3 with Siemens Healthineers Informatics products

 ·         Restrict physical access to only authorized individuals to limit exposure to CVE-2018- 4845.

·         Siemens Healthineers will update this advisory when new information becomes available.
RAPIDPoint 400 systems:

All versions with Siemens Healthineers Informatics products

 ·         Restrict physical access to only authorized individuals to limit exposure to CVE-2018- 4845.

·         Upgrade to RAPIDPoint 500 Series.

·         If upgrading is not an option, disable Remote Viewing feature by following the instructions in the “Enabling or Disabling Remote Viewing” section of the analyzer Operator’s Guide to limit exposure to CVE-2018- 4845 and mitigate CVE-2018-4846.

The post Advisory Issued About Vulnerabilities in Siemens RAPIDLab and RAPIDPoint Blood Gas Analyzers appeared first on HIPAA Journal.

Medical Device Security a Major Concern, Yet Funds Not Available to Improve Security

Posted by HIPAA Journal

A recent HIMSS survey has confirmed that medical device security is a concern and strategic priority for most healthcare organizations, yet fewer than half of healthcare providers have an approved budget for tackling security flaws in medical devices.

For the study, HIMSS surveyed 101 healthcare industry practitioners in the United States and Asia on behalf of global IT company Unisys.

85% of respondents to the survey said medical device security was a strategic priority and 58% said it was a high priority, yet only 37% of respondents had an approved budget to implement their cybersecurity strategy for medical devices. Small to medium sized healthcare providers were even less likely to have appropriate funds available, with 71% of companies lacking the funds for medical device security improvements.

Vulnerabilities in medical devices are frequently being identified. ICS-CERT has issued several recent advisories about flaws in a wide range of devices. In many cases, flaws are identified and corrected before they can be exploited by cybercriminals, although the WannaCry attacks last year showed just how much of a risk is involved – to providers as well as patients.

A recent MedCrypt-funded study from the University of California Cyber Team has revealed some healthcare organizations have experienced cybersecurity incidents involving insecure medical devices that have had an adverse effect on patients. The organizations that had experienced incidents involving compromised medical devices said between 100 and 1,000 patients had been affected.

“While most life sciences and healthcare organizations understand the need to strengthen device security, many are struggling with legacy devices that were never designed to be internet-accessible – and with the explosion of ransomware and sophisticated cyberattacks like WannaCry, that can put both the provider and the patient at risk,” said Bill Parkinson global senior director, Unisys Life Sciences and Healthcare.

Respondents to the HIMSS/Unisys survey were asked what security measures they had in place to secure their medical devices. 85% said they used firewalls and network access control systems, although only 53% said they used segregated networks for medical devices, even though segmentation of networks can help organizations manage risk.

“To ensure proper security, all devices require equally strong protection – firewalls alone are not enough in today’s environment,” said Parkinson. “In this regard, microsegmentation, the ability to segment and restrict network and device data to pre-authorized groups of users and devices, can be a critical asset for hospitals and medical providers.”

The survey also investigated how healthcare providers are capturing and managing data collected by medical devices. Approximately 60% of healthcare providers said they were ready for a device audit at all times, but fewer than a third of providers were capturing device data in real-time.

“The importance of having access to real-time data cannot be underestimated. Not only can data analytics help life sciences and healthcare organizations reduce device downtime by ensuring devices are operational, it can significantly improve audit readiness and better inform future purchasing decisions,” said Parkinson.

The post Medical Device Security a Major Concern, Yet Funds Not Available to Improve Security appeared first on HIPAA Journal.

Cofense Launches Free Tool That Checks for SaaS Applications Using Corporate Domains

Posted by HIPAA Journal

The anti-phishing solution provider Cofense has launched a new tool that allows organizations to check what Software-as-a-Service (SaaS) applications have been registered by employees using corporate domains.

The tool identifies configured cloud services, allowing security teams to check which SaaS applications are in use and take action over unauthorized use of cloud applications by employees.

The solution will query a corporate domain against a list of commonly used SaaS applications and will return a list of all SaaS applications that are in use, highlighting applications that have been provisioned without prior approval from the IT department. A file can be downloaded detailing all SaaS applications in use which can be compared with future scans to identify new SaaS applications that have been provisioned since the last time the query was run.

Shadow IT introduces risks, yet IT departments are often unaware of employees’ activities. Many companies are in the dark about the software used by their employees and the cloud services registered using company domains. This new service will help to improve security by identifying the latter.

An additional threat from the unsanctioned use of SaaS applications is the potential for SaaS providers to be impersonated by scammers.

“CEO fraud or Business Email Compromise (BEC) is a very real threat that typically targets members in finance.  But attackers can easily repurpose the technique creating realistic phishing sites targeting HR, IT, Engineering, Support, etc… masquerading as cloud tools the organization actually uses, ” said Cofense co-founder and CTO, Aaron Higbee. “CloudSeeker shines a light on shadow IT and counters the security risk it presents by seamlessly fitting into an organization’s broader security ecosystem. By offering this free solution to businesses, we are leveling up the playing field between attackers and would-be victims. After all, putting up a good defense requires a strong offense, critical to this is knowing where the threats are in the first place.”

The cloud security tool – CloudSeeker – is available free of charge to all organizations, even those who have not signed up to use the Cofense suite of anti-phishing and phishing intelligence services. The solution only requires a corporate domain to be entered. No personally identifiable information is required.

The post Cofense Launches Free Tool That Checks for SaaS Applications Using Corporate Domains appeared first on HIPAA Journal.

Advisory Issued About Vulnerabilities in Phillips IntelliVue Patient and Avalon Fetal Monitors

Posted by HIPAA Journal

The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued an advisory over vulnerabilities affecting certain Phillips IntelliVue Patient and Avalon Fetal monitors.

Three vulnerabilities have been identified by Phillips and communicated to ICS-CERT: Two have been rated high and one medium.

If successfully exploited, an attacker could read/write memory and introduce a denial of service through a system restart. Exploitation of the flaws could cause a delay in the diagnosis and treatment of patients.

Products Affected:

  • IntelliVue Patient Monitors MP Series (includingMP2/X2/MP30/MP50/MP70/NP90/MX700/800) Rev B-M;
  • IntelliVue Patient Monitors MX (MX400-550) Rev J-M and (X3/MX100 for Rev M only);
  • Avalon Fetal/Maternal Monitors FM20/FM30/FM40/FM50 with software Revisions F.0, G.0 and J.3

Vulnerabilities:

CWE-0287 – Improper Authentication Vulnerability

After gaining LAN access, an unauthenticated individual could exploit the vulnerability to gain access to the memory (write-what-where) on a chosen device within the same subnet.

CWE-200 – Information Exposure Vulnerability

Exploitation of this vulnerability could allow an unauthenticated attacker could read the memory of a chosen device within the same subnet.

CWE-121 – Stack-Based Buffer Overload Vulnerability

Exploitation of the vulnerability would expose an echo service, in which an attacker-sent buffer to an attacker-chosen device address within the same subnet is copied to the stack with no boundary checks, hence resulting in stack overflow.

Mitigations:

Phillips disclosed the vulnerabilities under its Co-ordinated Vulnerability Disclosure Policy. An advisory was proactively issued to allow users of the affected products to take action to prevent the vulnerabilities from being exploited.

Phillips notes that the vulnerabilities cannot be exploited remotely and require a malicious actor to first gain LAN access to the medical devices. Also, these vulnerabilities require a considerable degree of technical expertise to exploit.

No public exploits for the vulnerabilities have been detected and there have been no reports of any exploitation of the vulnerabilities in the wild.

Phillips is working on a patch to address all three issues on IntelliVue software Revisions J-M and Avalon software Revisions G.0 and J.3 in 2018. For non-supported versions, Phillips will provide an update-path to get users upgraded to a supported version. Users of unsupported versions should contact their Phillips sales representative for further information.

In the meantime, users of the affected products can take the following steps to reduce the potential for exploitation of the vulnerabilities:

  • IntelliVue Monitors – Follow instructions for use in the Security for Clinical Networks Guide and update to Revision K.2 or newer software.
  • Avalon Fetal Monitors Release G.0 and Release J.3 – Follow the Data Privacy and Network Security Requirements in the installation and service manual.
  • Avalon Fetal Monitors Release F.0 – Follow the instructions as documented in the Rev J.3 Service Guide Data Privacy and Network Security Requirements section.
  • Implement physical security access controls to restrict access to the devices to authorized users, as detailed in the Philips Security for Clinical Networks guide and the IntelliVue Clinical Networks Configuration Guide.
  • Implement logical security access controls to prevent the devices from communicating outside the Phillips clinical network.
  • Locate all vulnerable devices behind firewalls and isolate them from the business network.
  • Ensure the devices are not accessible over the Internet.

The post Advisory Issued About Vulnerabilities in Phillips IntelliVue Patient and Avalon Fetal Monitors appeared first on HIPAA Journal.

Advisory Issued Over Vulnerabilities in BeaconMedaes TotalAlert Scroll Medical Air Systems Web Application

Posted by HIPAA Journal

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued an advisory about remotely exploitable vulnerabilities in the BeaconMedaes TotalAlert Scroll Medical Air Systems web application.

The vulnerabilities are present in TotalAlert Scroll Medical Air Systems running software versions 4107600010.23 and earlier and require a low level of technical skill to exploit.

If successfully exploited, an attacker could view and potentially modify device information and web application setup information, although those modifications would not be sufficient to affect the ability of the device to operate as designed.

BeaconMedaes has stressed that the vulnerabilities cannot be exploited to gain access to patient health information and do not compromise compliance with the NFPA 99 standard for healthcare facilities.

ICS-CERT says two of the vulnerabilities have a CVSS v3 score of 7.5 out of 10 (high) and one has a CVSS v3 score of 5.3 (medium).

The two vulnerabilities rated high are CWE-522 – Insufficiently protected credentials and CWE-256 – Unprotected Storage of Credentials. CWE-522 could be exploited by an attacker with network access to the integrated web server and could allow retrieval of default/user-defined credentials stored and transmitted in an insecure manner. CWE-256 concerns passwords presented in plaintext in a file that can be accessed without authentication.

CWE-284 – Improper access credentials – is rated medium. By accessing a specific URL on the web server, an attacker could access information in the application without authentication.

The vulnerabilities were reported to The National Cybersecurity and Communications Integration Center (NCCIC) by security researcher Maxim Rupp.

NCCIC recommends users take measures to minimize the risk of the flaws being exploited. These include:

  • Minimizing network exposure for all control system devices
  • Ensuring control system devices are not exposed to the Internet
  • Locating control system networks behind firewalls
  • Isolating control system networks from the business network
  • Using VPNs to connect when remote access is required and ensuring those VPNs are updated and the most current version is used.

BeaconMedaes has assessed the vulnerabilities and has taken steps to address the vulnerabilities. An update has now been released – version 4107600010.24 – that corrects the flaws, which should be implemented as soon as possible.

BeaconMedaes recommends affected users contact the company directly on 1-888-4MEDGAS (463-3427) to obtain the update.

NCCIC recommends that prior to updating software or implementing defensive measures, organizations should perform an impact analysis and risk assessment.

The post Advisory Issued Over Vulnerabilities in BeaconMedaes TotalAlert Scroll Medical Air Systems Web Application appeared first on HIPAA Journal.

Lack of Visibility into Employee Activity Leaves Organizations Vulnerable to Data Breaches

Posted by HIPAA Journal

The 2018 Insider Threat Intelligence Report from Dtex Systems shows how a lack of visibility into employee activities is preventing security teams from acting on serious data security threats.

The report is based on data gathered from risk assessments performed on the firm’s customers and prospective customers. Those risk assessments highlighted just how common it is for employees to attempt to bypass security controls, download shadow IT, and violate company policies.

If your risk assessment has identified employees attempting to bypass security controls, you are not alone. According to the Dtex Systems report, 60% of risk assessments uncovered attempts by employees to bypass an organization’s security controls, use of private and anonymous browsers, or cases where employees had researched how to bypass security controls.

In most cases, employees are attempting to bypass security controls to gain access to websites that breach acceptable internet usage policies – such as adult content, gaming, and gambling sites, and to access P2P file sharing websites. 67% of companies discovered inappropriate Internet use. It is also common for employees to try to download shadow IT to make their jobs easier – use of tools such as Dontsleep, Caffeine, WireShark, or SnippingTool is common, even though those programs are prohibited.

While there may not be any malicious intent, these actions jeopardize security and could easily result in the accidental disclosure of sensitive information or malware infections. Programs such as open VPN tools and CCleaner are also commonly downloaded – both of which are an indicator of employees attempting to cover their tracks, potentially to hide malicious activities.

72% of risk assessments determined at least some employees were using high-risk applications or hacking tools and 90% of risk assessments showed employees were transferring data to unencrypted USB devices. 78% of companies also discovered company data that were publicly accessible online due to mistakes made by employees.

The 2018 Verizon Data Breach Investigations Report showed almost a third of the 2,216 confirmed breaches were caused by insiders and insider data breaches are far more common in the healthcare industry. Typically, in any given month, more healthcare industry data breaches are caused by insiders than breaches caused by external threat actors.

While technological controls can be implemented to improve security, it is important not to neglect the human element. Security awareness training shows employees how certain behaviors can easily result in a data breach; however, employees are often aware that certain actions increase risk, yet they still engage in risky activities. Many employees do not think that their actions will result in a data breach and carry on taking risks. They rely on IT teams to address cybersecurity and take no personal responsibility for helping to keep their company’s systems and data secure.

Security teams can take steps to reduce risk, but unless they have visibility into what their employees are doing they will not know the extent of risk taking by employees are could remain blind to these potentially dangerous activities.

Unfortunately, no single solution can be used to protect against insider threats. Only by using a range of solutions will healthcare organizations be able to tackle the problem of insider data breaches.

In addition to performing regular risk analyses to identify potential threats, Dtex Systems suggests the use of Security Information and Event Management (SIEM), user behavior analytics, and data loss prevention technologies. Additionally, employee monitoring solutions and user behavior intelligence are required to highlight abnormal activities and suspicious behavior. Such solutions will help security teams identify insider threats and take action before they lead to a data breach.

The post Lack of Visibility into Employee Activity Leaves Organizations Vulnerable to Data Breaches appeared first on HIPAA Journal.

DMARC Still Not Widely Adopted by Healthcare Organizations

Posted by HIPAA Journal

By adopting the Domain-based Message Authentication, Reporting and Conformance (DMARC) Standard, healthcare organizations can detect and prevent email spoofing and abuse of their domains; however, relatively few healthcare organizations are using DMARC, according to a recent study conducted by the email authentication vendor Valimail.

DMARC is an open standard that ensures a domain can only be used by authorized senders. If DMARC is not implemented, it is easy for a hacker to send an email that contains a company’s domain in the From field of the email.

Security awareness programs train employees never to click on hyperlinks or open attachments contained in emails from unknown senders. However, when the email appears to have been sent from a contact or known individual, the messages are often opened, links are clicked, and attachments are opened.

Research conducted by Cofense suggests more than 91% of all cyberattacks start with a phishing email, and the majority of successful phishing attacks use email impersonation techniques. If controls are not implemented to block email impersonation, companies will be vulnerable to phishing attacks.

DMARC is one of the most effective anti-phishing controls. When a DMARC record is created for a domain, the receiving server checks to determine whether the sender of the message is authorized to use the domain. If the message is authenticated, it will be delivered. If the authentication fails, the receiving server will take the action detailed in the DMARC record. If permissive controls are set, the message will still be delivered although policies can be set to direct the message to the quarantine (spam) folder or at the most aggressive level, the message will be rejected.

For the study, Valimail assessed the domains of 928 healthcare companies around the world with annual revenues in excess of $300 million, including hospitals, medical equipment suppliers, pharmacies, physicians and health practitioners. Just 121 of those companies (13%) have adopted DMARC to secure their domains and prevent email spoofing.

Even when DMARC is implemented, most healthcare companies set permissive monitor-only policies. While those organizations will be alerted to email impersonation attacks, the messages will not be blocked. Few healthcare organizations have implemented DMARC at the enforcement level, which is necessary to protect against email impersonation attacks. Overall, only 1.7% of healthcare organizations have set policies that reject emails sent by unauthorized senders.

While few healthcare companies have adopted DMARC, the study showed a majority – 60% – have adopted the Sender Policy Framework (SPF) standard. While SPF is an effective control, it only validates the return-path field. It does not prevent hackers from conducting email impersonation attacks and using an organization’s domain in the from field.

DMARC adoption is increasing, although implementation is clearly a challenge for many healthcare organizations. Valimail notes in its report that it is typically only the largest healthcare organizations that successfully implement DMARC, suggesting DMARC implementation is a resource issue for smaller companies.

The post DMARC Still Not Widely Adopted by Healthcare Organizations appeared first on HIPAA Journal.

HITRUST Now Offers NIST Cybersecurity Framework Certification

Posted by HIPAA Journal

The security and privacy standards development and accreditation organization HITRUST has started offering certification for the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework). The certification program makes it easier for healthcare organizations to report progress to management, business partners, and regulators and verify they have met NIST cybersecurity framework controls.

The NIST Cybersecurity Framework is a set of standards and best practices that help organizations improve security, manage cybersecurity risk, and protect critical infrastructure. Many healthcare organizations have adopted the NIST cybersecurity framework but are unsure how they are doing in the cybersecurity categories.

Through the HITRUST CSF Assurance Program, healthcare organizations can assess whether they have met the requirements in each of the NIST categories.

The HITRUST CSF now includes a scorecard that allows organizations to check how their security program maps to the core subcategories of the NIST Cybersecurity Framework and provides compliance ratings for each core subcategory. HITRUST also provides certification to confirm that organizations are meeting all requirements of the NIST Cybersecurity Framework. If an organization achieves a certain score, certification will be issued against the NIST Cybersecurity Framework.

The Government Accountability Office (GAO) has confirmed that the HITRUST CSF aligns with the NIST Cybersecurity Framework and allows organizations to demonstrate compliance.

NIST has also developed guidance for healthcare organizations to help them implement the various controls detailed in the NIST Framework. The implementation guidance can be used even if organizations choose not to go through the assessment process.

“The HITRUST CSF’s integration and harmonization of multiple industry-relevant statutory, regulatory and best practice requirements into a single, prescriptive, yet highly tailorable framework makes it extremely easy for organizations to determine an appropriate Target Profile and subsequently implement and report their progress towards a cybersecurity program that fulfills the goals and objectives of the NIST Framework”

HITRUST CSF Assurance Program has been adopted by approximately 80% of hospitals and insurance companies. Through a single assessment, healthcare organizations can assess compliance with the HIPAA Security and Privacy Rules, the NIST Cybersecurity Framework, GDPR, ISO 27001, PCI and other leading standards and frameworks.

The post HITRUST Now Offers NIST Cybersecurity Framework Certification appeared first on HIPAA Journal.