Healthcare Cybersecurity

NCCoE Releases Final Guidance on Effective Enterprise Patch Management

Posted by HIPAA Journal

The National Cybersecurity Center of Excellence (NCCoE) has released the final versions of two Special Publications that provide guidance on enterprise patch management practices to prevent the exploitation of vulnerabilities in IT systems.

Cybercriminals and nation-state threat actors target unpatched vulnerabilities in software, operating systems, and firmware to gain access to business networks to steal sensitive data and disrupt operations. It is vital for all organizations to ensure patches and software/firmware updates are implemented promptly to prevent exploitation.

“Patching is a critical component of preventive maintenance for computing technologies—a cost of doing business, and a necessary part of what organizations need to do in order to achieve their missions,” explained NCCoE. “It helps prevent compromises, data breaches, operational disruptions, and other adverse events.”

While the importance of prompt patching is well understood by IT, security, and technology management, the importance and value of patching is typically less well understood by organizations’ business and mission owners. Despite vulnerabilities being regularly exploited by threat actors, many organizations either cannot or do not adequately patch. One of the main issues is the sheer number of patches and software/firmware upgrades that need to be performed and the time it takes to fully test patches before deployment and apply those patches across the entire organization. Many organizations also struggle with the prioritization of patching and fail to ensure that the most serious vulnerabilities are patched first.

NCCoE worked closely with cybersecurity technology providers to develop guidance – Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology (SP-800-40) and Improving Enterprise Patching for General IT Systems: Utilizing Existing Tools and Performing Processes in Better Ways (SP-1800-31) – to help enterprises with patch management planning and implementation. The guidance documents discuss the challenges organizations need to overcome with patch management and recommend a strategy that can be adapted to simplify and operationalize patching to improve the reduction of risk.

By following the patch management guidance, organizations can ensure effective preventive maintenance to reduce the risk of data breaches, disruption to business processes, and other adverse security events.

Image Source: J. Stoughton/NIST

The post NCCoE Releases Final Guidance on Effective Enterprise Patch Management appeared first on HIPAA Journal.

OCR Seeks Comment on Recognized Security Practices and the Sharing of HIPAA Settlements with Harmed Individuals

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has released a Request for information (RFI) related to two outstanding requirements of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act).

The HITECH Act, as amended in 2021 by the HIPAA Safe Harbor Act, requires the HHS consider the security practices that have been implemented by HIPAA-regulated entities when considering financial penalties and other remedies to resolve potential HIPAA violations discovered during investigations and audits.

The aim of the HIPAA Safe Harbor Act was to encourage HIPAA-regulated entities to implement cybersecurity best practices, with the reward being lower financial penalties for data breaches and less scrutiny by the HHS if industry-standard security best practices have been implemented for the 12 months prior to a data breach occurring.

Another outstanding requirement that dates back to when the HITECH Act was signed into law, is for the HHS to share a percentage of the civil monetary penalties (CMPs) and settlement payments with individuals who have been harmed as a result of the violations for which the penalties have been applied. The HITECH Act calls for a methodology to be established by the HHS for determining appropriate amounts to be shared, based on the nature and extent of the HIPAA violation and the nature and extent of the harm that has been caused.

Earlier this year, the recently appointed Director of the HHS’ Office for Civil Rights (OCR) – Lisa J. Pino – confirmed that these two requirements of the HITECH Act were being addressed this year. Yesterday, OCR published the RFI in the Federal Register seeking public comment on these two requirements of the HITECH Act.

Specifically, OCR is seeking feedback on what constitutes “Recognized Security Practices,” the recognized security practices that are being implemented to safeguard electronic protected health information by HIPAA-compliant entities, and how those entities anticipate adequately demonstrating that recognized security practices are in place. OCR would also like to learn about any implementation issues that those entities would like to be clarified by OCR, either through further rulemaking or guidance, and suggestions on the action that should initiate the beginning of the 12-month look-back period, as that is not stated in the HIPAA Safe Harbor Act.

One of the main issues with the requirement to share CMPs and settlements with victims is the HITECH Act has no definition of harm. OCR is seeking comment on the types of “harms” that should be considered when distributing a percentage of SMPs and settlements, and suggestions on potential methodologies for sharing and distributing monies to harmed individuals.

“This request for information has long been anticipated, and we look forward to reviewing the input we receive from the public and regulated industry alike on these important topics,” said Pino. “I encourage those who have been historically underserved, marginalized, or subject to discrimination or systemic disadvantage to comment on this RFI, so we hear your voice and fully consider your interests in future rulemaking and guidance.”

In order to be considered, comments must be submitted to OCR by June 6, 2022.

The post OCR Seeks Comment on Recognized Security Practices and the Sharing of HIPAA Settlements with Harmed Individuals appeared first on HIPAA Journal.

The Protecting and Transforming Cyber Health Care (PATCH) Act Introduced to Improve Medical Device Cybersecurity

Posted by HIPAA Journal

A bipartisan pair of senators have introduced the Protecting and Transforming Cyber Health Care (PATCH) Act which aims to improve the security of medical devices.

Vulnerabilities are often identified in medical devices that could potentially be exploited by threat actors to change the functionality of the devices, render them inoperable, or to allows the devices to be used as a springboard for more extensive attacks on healthcare networks. Over the course of the pandemic, cyberattacks on healthcare organizations have increased, and medical devices and the networks to which they connect have been affected by ransomware attacks. These attacks have affected hospitals, patients, and the medical device industry.

U.S. Senators Bill Cassidy, M.D. (R-LA) and Tammy Baldwin (D-WI) introduced the PATCH Act to ensure that the U.S. healthcare system’s cyber infrastructure remains safe and secure. The PATCH Act will update the Federal Food, Drug, and Cosmetic Act to require all premarket submissions for medical devices to include details of the cybersecurity protections that have been implemented.

If passed, before a medical device can be approved for use by the Food and Drug Administration (FDA), manufacturers will need to ensure that critical cybersecurity requirements have been implemented. The PATCH Act also calls for manufacturers of medical devices to design, develop, and maintain processes and procedures to update and patch the devices and related systems throughout the lifecycle of the device. A Software Bill of Materials for each device must also be provided to users which will make it easier to identify vulnerabilities that affect the devices, including vulnerabilities in open source components and dependencies.

The Patch Act also requires medical device manufacturers to develop a plan for monitoring, identifying, and addressing post-market cybersecurity vulnerabilities, and a Coordinated Vulnerability Disclosure will be required to demonstrate the safety and effectiveness of a device.

“New medical technologies have incredible potential to improve health and quality of life,” said Dr. Cassidy. “If Americans cannot rely on their personal information being protected, this potential will never be met.”

“In recent years, we’ve seen a significant increase in cyber-attacks that have exposed vulnerabilities in our health care infrastructure, impacting patients across Wisconsin and the country. We must take these lessons learned to better protect patients,” said Senator Baldwin. “I am excited to introduce the bipartisan PATCH Act to ensure that innovative medical technologies are better protected from cyber threats and keep personal health information safe while also finding new ways to improve care.”

A companion bill was introduced by reps. Michael C. Burgess (R-TX) and Angie Craig (D-MN) in the House of Representatives.

The post The Protecting and Transforming Cyber Health Care (PATCH) Act Introduced to Improve Medical Device Cybersecurity appeared first on HIPAA Journal.

Differences Between Small and Large Healthcare Organizations on Security

Posted by HIPAA Journal

A recent survey of healthcare providers by Software Advice provides insights into healthcare data breaches, their root causes, and the different security practices at small and large healthcare providers.

The survey was conducted on 130 small practices with 5 or fewer licensed providers and 129 large practices with six or more providers to understand the security issues they face and the measures each group has taken to protect against cyberattacks and data breaches. Across both groups of healthcare providers, more than half store more than 90% of patient data digitally, such as patient records, medical histories, and billing records. While digital records are more efficient, there is a risk that hackers will be able to gain access to patient information.

Hackers tend to target larger practices rather than small practices, based on the number of reported data breaches. 48% of large healthcare providers said they had experienced a data breach in the past, and 16% said they had suffered a breach in the past 12 months. One in four small practices had experienced a breach in the past (23%), with 5% experiencing a breach in the past year. By far the biggest cause of data breaches was human error. 46% of small practices and 51% of large practices said human error was the leading cause of data breaches.

23% of small healthcare practices said they had experienced a ransomware attack in the past, compared to 45% of large practices. 5% of the attacks on small healthcare providers and 12% of attacks on large healthcare providers occurred in the past 12 months. 76% of small practices and 74% of large practices said they were able to recover at least some of their data from backups without paying the ransom, which highlights the importance of having good backup policies. That is especially important as paying the ransom comes with no guarantee that files can be recovered. 23% of small practices paid the ransom to recover their data compared to 19% of large healthcare providers, but 14% of small healthcare providers said they did not recover their data after paying.

11% of large practices permanently lost their data due to the attack, 7% accepted data loss and 4% paid the ransom but were still unable to recover their data. Most of the healthcare providers did not state how much was paid as a ransom. Two small practices said they paid between $5,000 and $10,000 and two paid between $25,000 and $100,000.

To defend against attacks, healthcare organizations have implemented a range of technical safeguards, with the most common measures being firewalls, antivirus software, email security solutions, and data backup technology. Small practices were investing more money than larger organizations in antivirus technology, and while such solutions are important, it is also important to invest in email and networks security tools. Larger organizations with deeper pockets were more likely to invest in those tools and be better protected as a result. Software Advice suggests that smaller healthcare providers should consider reducing spending on antivirus software and improving email and network security, as that could help to prevent more data breaches.

It is important not to neglect the human element of cybersecurity, especially considering the large number of data breaches that were attributed to human error. Providing security awareness training to employees is a requirement of the HIPAA Security Rule, but it should not just be a checkbox option. Regular security awareness training to teach employees how to recognize and avoid threats can greatly reduce the risk of a successful cyberattack but 42% of small practices and 25% of large practices said they spent no more than 2 hours on privacy and security awareness training for employees in 2021.

2-factor authentication is an important security measure to implement to prevent stolen credentials from being used to access accounts. Microsoft has previously said that 2-factor authentication can block more than 99% of automated attacks on accounts. It is encouraging that 90% of large practices have implemented 2FA to some degree, but small practices are much less likely to use 2FA to protect their accounts. 22% of small practices said they have not implemented 2FA at all and 59% only use 2FA on some applications.

“Paying for every data protection tool available isn’t a wise option as it leaves you vulnerable to other avenues of attack or breach, such as incidental exposure or human error. Instead, remember that you must guard yourself on multiple fronts,” suggests Software Advice. That involves training employees, investing in the right security tools to protect data, and developing an action plan to help mitigate harm in the event of a breach or attack.

The post Differences Between Small and Large Healthcare Organizations on Security appeared first on HIPAA Journal.

Warnings Issued About Vulnerabilities in the Spring Application Building Platform and UPS Devices

Posted by HIPAA Journal

Two remote code execution vulnerabilities have been identified in the Spring platform – a popular application framework that software developers use for rapidly building Java applications. Proof-of-concept exploits for both vulnerabilities are in the public domain and at least one of the vulnerabilities is being actively exploited.

The first vulnerability – CVE-2022-22963 – affects Spring Cloud Function versions 3.1.6, 3.2.2, and older unsupported versions and is remotely exploitable in the default configuration while running a Spring Boot application that depends on Spring Cloud Function, such as when depending on packages such as spring-cloud-function-web and spring-cloud-starter-function-web.

According to VMWare, which owns Spring, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression, which will allow remote code execution and access to local resources. The vulnerability was initially assigned a CVSS severity score of 5.4, but was later upgraded to critical. Proof-of-concept exploits for the vulnerability are in the public domain.

The vulnerability has been addressed by VNWare in Spring Cloud Function versions 3.1.7 and 3.2.3. Immediate upgrading to a secure version is recommended to prevent exploitation.

A proof of concept exploit has been publicly released for another zero-day vulnerability that affects the Spring Core Java framework. The vulnerability, dubbed Spring4Shell, allows unauthenticated individuals to remotely execute code on applications.

The vulnerability – tracked as CVE-2022-22965 – is due to unsafe deserialization of passed arguments and affects Spring MVC and Spring WebFlux applications on JDK 9 or higher. An exploit for the vulnerability is in the public domain, but will not work if an application is deployed as a Spring Boot executable jar, which is the default. The exploit will only work if the application is run on Tomcat as a WAR deployment with a spring-webmvc or “spring-webflux” dependency; however, there may be other ways to exploit the vulnerability.

The vulnerability is not as serious as the Log4J/Log4Shell vulnerability, but Spring is popular and widely used for building applications.

The vulnerability has been fixed in the following versions:

  • Spring Framework 5.3.18 and Spring Framework 5.2.20
  • Spring Boot 2.5.12
  • Spring Boot 2.6.6

CISA Warns of Attacks on Uninterruptible Power Supply Devices

The Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy (DoE) have issued a warning that cyber threat actors are exploiting vulnerabilities in Internet-connected uninterruptible power supply (UPS) devices to gain access to networks.

UPS devices are routinely attached to networks for power monitoring, maintenance, and convenience, and are used to provide clean and emergency power to IT equipment and applications. Many UPS vendors have added IoT capabilities to the devices to allow them to be accessed via the Internet.

CISA and the DoE are aware of threat actors using these devices to gain access to networks, most commonly by using unchanged default usernames and passwords to access the devices.

All users of these devices have been advised to immediately enumerate their UPSs and similar systems and ensure they are not accessible via the Internet, or if Internet access is required, to ensure the device or system is behind a virtual private network. Default credentials should be changed, long passwords or passphrases used to secure the devices, and multifactor authentication should be enforced

The post Warnings Issued About Vulnerabilities in the Spring Application Building Platform and UPS Devices appeared first on HIPAA Journal.

Bipartisan Bill Proposed to Strengthen Healthcare and Public Health Sector Cybersecurity

Posted by HIPAA Journal

A new bill has been proposed by a bipartisan pair of senators that aims to improve the cybersecurity of the healthcare and public health (HPH) sector, in light of the recent warning from the White House about the increased threat of Russian cyber threats.

Last week, President Biden and the White House issued a warning about the increased risk of Russian cyberattacks on critical infrastructure, including potential attacks on the HPH sector in response to the sanctions recently imposed by the United States on Russia due to the invasion of Ukraine. The warning was “based on evolving intelligence that the Russian Government is exploring options for potential cyberattacks,” said President Biden.

In response to the warning, on Thursday, March 24, 2022, U.S. Senators Jacky Rosen (D-NV) and Bill Cassidy, MD (R-LA) proposed the Healthcare Cybersecurity Act (S.3904). One of the main aims of the act is to improve collaboration between the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Department of Health and Human Services. If passed, CISA would be required to collaborate with the HHS on a range of cybersecurity measures to better defend the HPH sector against cyberattacks.

“In light of the threat of Russian cyberattacks, we must take proactive steps to enhance the cybersecurity of our healthcare and public health entities,” said Senator Rosen. “Hospitals and health centers are part of our critical infrastructure and increasingly the targets of malicious cyberattacks, which can result in data breaches, the cost of care being driven up, and negative patient health outcomes. This bipartisan bill will help strengthen cybersecurity protections and protect lives.”

CISA would be required to conduct a detailed study on specific cybersecurity risks facing the HPH sector, which would involve “an analysis of how cybersecurity risks specifically impact health care assets, an evaluation of the challenges health care assets face in securing updated information systems, and an assessment of relevant cybersecurity workforce shortages.” The bill will also authorize cybersecurity training for HPH sector operators to improve awareness of cybersecurity risks and the most effective ways to mitigate them.

2021 was a particularly bad year for healthcare industry cyberattacks. 714 data breaches of 500 or more records were reported to the Department of Health and Human Services last year, making 2021 the worst ever year for healthcare industry data breaches. Almost 46 million records were reported to the HHS as being breached in 2021. Data breaches are now being reported at twice the level of 2017 and hacking incidents have increased every year. In 2021, 82% of the reported healthcare data breaches were classed as hacking/IT incidents, compared to just 41% in 2017.

“Health centers save lives and hold a lot of sensitive, personal information. This makes them a prime target for cyber-attacks,” said Dr. Cassidy. “This bill protects patients’ data and public health by strengthening our resilience to cyber warfare.”

The post Bipartisan Bill Proposed to Strengthen Healthcare and Public Health Sector Cybersecurity appeared first on HIPAA Journal.

FBI: At Least 148 Healthcare Organizations Suffered Ransomware Attacks in 2021

Posted by HIPAA Journal

The Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) has released its 2021 Internet Crime Report, which reveals there were at least 649 ransomware attacks on critical infrastructure organizations from June 2021 to December 2021.

14 of the 16 critical infrastructure sectors reported at least one ransomware attack, although the healthcare and public health sector was the worst affected, accounting for 148 of those attacks, followed by financial services with 89 attacks, and the information technology sector with 74.

The Conti ransomware gang was the most active in 2021 with 87 reported attacks on critical infrastructure organizations, followed LockBit ransomware (58), and the now-disbanded REvil/Sodinokibi ransomware operation (51). The Conti gang favored targets in critical manufacturing, commercial facilities, and the food and agriculture sectors, LockBit most frequently attacked healthcare and public health, government facilities, and financial services, and REvil targeted healthcare and public health, financial services, and the information technology sectors.

Other prolific ransomware operations in 2021 include Ragnar Locker, which attacked 52 critical infrastructure organizations, and Cuba ransomware, which was used in attacks on 49 critical infrastructure organizations. Ransomware gangs use a variety of methods to gain access to victim networks; however, the most common attack vectors in 2021 were phishing emails, Remote Desktop Protocol (RDP) exploitation, and the exploitation of software vulnerabilities. While 2021 saw several major ransomware operations shut down, others have taken their place. IC3 anticipates 2022 will see an increase in ransomware attacks on critical infrastructure.

IC3 said there was an unprecedented increase in cyberattacks and malicious cyber activity in 2021 targeting a wide range of business sectors and individuals. A record number of complaints were submitted to IC3 by the American public in 2021, increasing by 7% from 2020 to 847,376 complaints. Across those complaints there were reported losses of more than $6.9 billion – a 64.29% increase from the $4.2 billion in losses reported in 2020.

Losses to Cybercrime over the Past 5 Years. Source IC3

Phishing – including vishing, smishing, and harming – was the most prevalent type of cybercrime in 2021, with 323,972 complaints about phishing incidents reported to IC3 in 2021, up 34% from 2020. Nonpayment/non-delivery crimes were the second most reported incidents, which claimed 82,478 victims.

19,954 complaints were received about business email compromise (BEC)/email account compromise (EAC) scams in 2021, which ranked top for victim losses with adjusted losses of almost $2.4 billion in 2021 – a 28% increase from 2020. IC3 said BEC attacks have become much more sophisticated. While they used to involve compromised email accounts that were used to request W2 forms or fraudulent wire transfers, scammers have exploited the increased reliance on telework and virtual communications platforms.

A compromised email account of an employer or financial director is often used to request employees participate in virtual meeting platforms. “In those meetings, the fraudster would insert a still picture of the CEO with no audio, or a “deep fake” audio through which fraudsters, acting as business executives, would then claim their audio/video was not working properly,” explained IC3.

More than $44 million was lost to phishing scams in 2021, and the 3,729 reported ransomware attacks involved losses of at least $49 million. Losses to ransomware are difficult to determine. The $49 million does not include associated costs such as remediation, only reported ransom payments, and ransom payments are not always reported to IC3.

IC3 reported on the successes of its Recovery Asset Team (RAT) in freezing funds for victims of cybercrime. “In 2021, the IC3’s RAT initiated the Financial Fraud Kill Chain on 1,726 BEC complaints involving domestic to domestic transactions with potential losses of $443,448,237. A monetary hold was placed on approximately $329 million, which represents a 74% success rate.”

The post FBI: At Least 148 Healthcare Organizations Suffered Ransomware Attacks in 2021 appeared first on HIPAA Journal.

President Biden Urges Private Sector to Take Immediate Action to Harden Cybersecurity Defenses

Posted by HIPAA Journal

Present Biden has issued a warning about the increased threat of cyberattacks by Russian state-sponsored hackers as a result of the economic sanctions imposed on the country in response to the invasion of Ukraine. President Biden said the warning is based on “evolving intelligence that the Russian Government is exploring options for potential cyberattacks.”

A few days before President Biden’s warning, the FBI issued an alert warning that hacking groups linked to Russia could target U.S organizations in response to the recently imposed sanctions. Deputy national security adviser Anne Neuberger explained in a White House briefing on Monday that threat actors associated with Russian IP addresses had conducted “preparatory activity” for cyberattacks, such as scanning websites and other Internet-facing systems at 5 US energy firms for exploitable vulnerabilities. Scans have also been conducted on at least 18 other US companies in sectors such as defense and financial services. The FBI said the Russian IP addresses used for scanning have previously been used for destructive cyber activity against foreign critical infrastructure, and that scanning activity has increased since Russia invaded Ukraine.

“I have previously warned about the potential that Russia could conduct malicious cyber activity against the United States, including as a response to the unprecedented economic costs we’ve imposed on Russia alongside our allies and partners. It’s part of Russia’s playbook,” said President Biden in his statement. “My Administration will continue to use every tool to deter, disrupt, and if necessary, respond to cyberattacks against critical infrastructure. But the Federal Government can’t defend against this threat alone.”

In the United States, a large percentage of the country’s critical infrastructure is operated by the private sector. President Biden has called for owners and operators of critical infrastructure to accelerate their efforts to improve their defenses and “lock their digital doors”.  The White House has issued a fact sheet detailing the steps that should be taken to improve cybersecurity defenses in preparation for possible Russian cyberattacks and for action to be taken immediately to implement the recommendations.

One of the most important steps to take to improve security is to implement and mandate the use of multi-factor authentication. Multi-factor authentication will make it much harder for threat actors to use compromised or stolen credentials to access internal networks. Security software should be deployed that is capable of continuously scanning computers and devices to identify and mitigate threats. Cybersecurity teams should ensure that all operating systems and software are updated and patched against known vulnerabilities, especially those listed in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerability Catalog.

Robust backup procedures should be implemented and backups should be stored offline, out of the reach of attackers that successfully compromise networks. Sensitive data should be encrypted at rest and in transit to ensure that if the information is stolen, it cannot be used.

Security awareness training should be provided to employees to help them identify and avoid threats, and the workforce should be encouraged to immediately report any suspicious activity. The White House also encourages critical infrastructure operators to engage proactively with their local FBI field offices and/or CISA Regional Office to establish relationships in advance of any cyber incidents and to run exercises and drills to test emergency plans to ensure a quick and effective response is possible in the event of a cyber intrusion.

The American Hospital Association (AHA) has urged hospitals and health systems to review the government fact sheet and take immediate steps to improve cybersecurity, as well as review AHA guidance and alerts about risk mitigation procedures. Hospitals and health systems have also been urged to increase network monitoring for unusual network traffic and activity, especially around Active Directory, and to “heighten staffs’ awareness of [the] increased risk of receiving malware-laden phishing emails.”

The AHA also recommends geo-fencing for inbound and outbound traffic to and from Russia, Ukraine, and the surrounding regions, checking the redundancy, resiliency, and security of networks and data backups, and ensuring emergency electric generating redundancy, resiliency, and generator fuel reserves are in place and have been recently tested.

It is also important to identify all internal and third-party mission-critical clinical and operational services and technology and to put into place four-to-six week business continuity plans and well-practiced downtime procedures in the event those services or technologies are disrupted by a cyberattack.

The post President Biden Urges Private Sector to Take Immediate Action to Harden Cybersecurity Defenses appeared first on HIPAA Journal.

OCR: HIPAA Security Rule Compliance Can Prevent and Mitigate Most Cyberattacks

Posted by HIPAA Journal

Healthcare hacking incidents have been steadily rising for a number of years. There was a 45% increase in hacking/IT incidents between 2019 and 2020, and in 2021, 66% of breaches of unsecured electronic protected health information were due to hacking and other IT incidents. A large percentage of those breaches could have been prevented if HIPAA-regulated entities were fully compliant with the HIPAA Security Rule.

The Department of Health and Human Services’ Office for Civil Rights explained in its March 2022 cybersecurity newsletter that compliance with the HIPAA Security Rule will prevent or substantially mitigate most cyberattacks. Most cyberattacks on the healthcare industry are financially motivated and are conducted to steal electronic protected health information or encrypt patient data to prevent legitimate access. The initial access to healthcare networks is gained via tried and tested methods such as phishing attacks and the exploitation of known vulnerabilities and weak authentication protocols, rather than exploiting previously unknown vulnerabilities.

Prevention of Phishing

Phishing is one of the commonest ways that cyber actors gain a foothold in healthcare networks. Coveware’s Q2, 2021 Quarterly Ransomware Report suggests 42% of ransomware attacks in the quarter saw initial network access gained via phishing emails. Phishing attacks attempt to trick employees into visiting a malicious website and disclosing their credentials or opening a malicious file and installing malware.

Anti-phishing technologies such as spam filters and web filters are key technical safeguards to prevent phishing attacks. They stop emails from being delivered from known malicious domains, scan attachments and links, and block access to known malicious websites where malware is downloaded or credentials are harvested. These tools are important technical safeguards for ensuring the confidentiality, integrity, and availability of ePHI.

OCR reminded HIPAA-regulated entities that “The Security Rule requires regulated entities to implement a security awareness and training program for all workforce members,” which includes management personnel and senior executives. “A regulated entity’s training program should be an ongoing, evolving process and be flexible enough to educate workforce members on new and current cybersecurity threats (e.g., ransomware, phishing) and how to respond,” said OCR.

The Security Rule also has an addressable requirement to send periodic security reminders to the workforce. OCR said one of the most effective forms of “security reminders” is phishing simulation emails. These exercises gauge the effectiveness of the training program and allow regulated entities to identify weak links and address them. Those weak leaks could be employees who have not fully understood their training or gaps in the training program.

“Unfortunately, security training can fail to be effective if it is viewed by workforce members as a burdensome, “check-the-box” exercise consisting of little more than self-paced slide presentations,” suggested OCR. “Regulated entities should develop innovative ways to keep the security trainings interesting and keep workforce members engaged in understanding their roles in protecting ePHI.”

Prevention of Vulnerability Exploitation

Some cyberattacks exploit previously unknown vulnerabilities (zero-day attacks) but it is much more common for hackers to exploit known vulnerabilities for which patches are available or mitigations have been made public. It is the failure to patch and update operating systems promptly that allows cyber actors to take advantage of these vulnerabilities.

The continued use of outdated, unsupported software and operating systems (legacy systems) is common in the healthcare industry. “Regulated entities should upgrade or replace obsolete, unsupported applications and devices (legacy systems),” said OCR. “However, if an obsolete, unsupported system cannot be upgraded or replaced, additional safeguards should be implemented or existing safeguards enhanced to mitigate known vulnerabilities until upgrade or replacement can occur (e.g., increase access restrictions, remove or restrict network access, disable unnecessary features or services”

The HIPAA Security Rule requires regulated entities to implement a security management process to prevent, detect, contain, and fix security violations. A risk analysis must be conducted and risks and vulnerabilities to ePHI must be reduced to a reasonable and appropriate level. The risk analysis and risk management process should identify and address technical and non-technical vulnerabilities.

To help address technical vulnerabilities, OCR recommends signing up for alerts and bulletins from CISA, OCR, the HHS Health Sector Cybersecurity Coordination Center (HC3), and participating in an information sharing and analysis center (ISAC). Vulnerability management should include regular vulnerability scans and periodic penetration tests.

Eradicate Weak Cybersecurity Practices

Cyber actors often exploit poor authentication practices, such as weak passwords and single-factor authentication. The 2020 Verizon Data Breach Investigations Report suggests over 80% of breaches due to hacking involved compromised or brute-forced credentials.

“Regulated entities are required to verify that persons or entities seeking access to ePHI are who they claim to be by implementing authentication processes,” explained OCR. The risk of unauthorized access is higher when users access systems remotely, so additional authentication controls should be implemented, such as multi-factor authentication for remote access.

Since privileged accounts provide access to a wider range of systems and data, steps should be taken to bolster the security of those accounts. “To reduce the risk of unauthorized access to privileged accounts, the regulated entity could decide that a privileged access management (PAM) system is reasonable and appropriate to implement,” suggests OCR. “A PAM system is a solution to secure, manage, control, and audit access to and use of privileged accounts and/or functions for an organization’s infrastructure.  A PAM solution gives organizations control and insight into how its privileged accounts are used within its environment and thus can help detect and prevent the misuse of privileged accounts.”

OCR reminds regulated entities that they are required to periodically examine the strength and effectiveness of their cybersecurity practices and increase or add security controls to reduce risk as appropriate, and also conduct periodic technical and non-technical evaluations of implemented security safeguards in response to environmental or operational changes affecting the security of ePHI.

The post OCR: HIPAA Security Rule Compliance Can Prevent and Mitigate Most Cyberattacks appeared first on HIPAA Journal.