Healthcare Data Privacy

Vulnerabilities Identified in B. Braun Infusomat Space and Perfusor Space Infusion Pumps

Posted by HIPAA Journal

B. Braun has released software updates to fix five vulnerabilities in its Infusomat Space and Perfusor Space Infusion Pumps. The vulnerabilities could be exploited remotely in a low complexity attack.

In North America, the flaws affect Battery pack SP with WiFi (All software Versions 028U000061 and earlier) that have been installed in an Infusomat Space Infusion Pump or a Perfusor Space Infusion pump, and SpaceStation with SpaceCom 2 (All software Versions 012U000061 and earlier). The vulnerabilities were identified by Douglas McKee and Philippe Laulheret of McAfee, who reported them to B. Braun.

The most serious vulnerability is a critical flaw in B. Braun SpaceCom2 that has been assigned a CVSS severity score of 9 out of 10. The flaw – tracked as CVE-2021-33885 – is due to insufficient verification of data authenticity and could be exploited by a remote attacker to send malicious data to the device, which would be used in place of the correct data.

An improper input validation flaw – CVE-2021-33886 – would allow a remote unauthenticated attacker to gain user-level command-line access by passing a raw external string straight through to printf statements, although the attacker would need to be on the same network as the device, which limits the potential for exploitation. The flaw has been assigned a CVSS score of 6.8.

A missing authentication for critical function vulnerability – CVE-2021-33882 – could be exploited by a remote attacker to reconfigure the device from an unknown source, due to the lack of authentication on proprietary networking commands. The flaw has also been assigned a CVSS score of 6.8.

Due to unrestricted uploads of dangerous file types, a remote attacker could upload a malicious file to the /tmp directory of the device through the webpage API, which could result in critical files being overwritten affecting device functionality. The flaw is tracked as CVE-2021-33884 and has a CVSS severity score of 6.5.

The last vulnerability is an information exposure issue that could allow an attacker to obtain critical values for a pump’s internal configuration due to the transmission of sensitive information in cleartext. The flaw is tracked as CVE-2021-33883 and has been assigned a CVSS severity score of 5.9.

  1. Braun has fixed the flaws in the following software updates:
  • Battery pack SP with Wi-Fi, software 028U00062 (SN 138852 and lower)
  • Battery pack SP with Wi-Fi, software 054U00091 (SN 138853 and higher)
  • SpaceStation with SpaceCom 2 software Versions 012U000083

At present, there have been no reported cases of exploitation of the flaws; however, the updates should be applied as soon as possible.

B.Braun also recommends ensuring infusion pumps are housed in separate environments that are protected by firewalls or VLANs, that authentication measures are put in place to prevent unauthorized access, and that the devices are not directly accessible over the Internet. If remote access is required, secure methods of access should be used, such as a Virtual Private Network (VPN).

The post Vulnerabilities Identified in B. Braun Infusomat Space and Perfusor Space Infusion Pumps appeared first on HIPAA Journal.

UPMC Hacker Who Stole PII of 65,000 Employees Gets Maximum 7-Year Sentence

Posted by HIPAA Journal

The hacker who gained access to the databases of University of Pittsburgh Medical Center (UPMC) and stole the personally identifiable information (PII) and W-2 information of approximately 65,000 UPMC employees has been handed the maximum sentence for the offenses and will serve 7 years in jail.

Sean Johnson, of Detroit, Michigan – aka TheDearthStar and Dearthy Star – hacked into the databases of UPMC in 2013 and 2014 and stole highly sensitive information which was then sold on dark web hacking forums and was used by identity thieves to file fraudulent tax returns in the names of UPMC employees. The Department of Justice (DOJ) also alleged Johnson conducted further cyberattacks between 2014 and 2017 and stole the PII of an additional 90,000 individuals. Those sets of data were also sold to identity thieves on dark web forums.

In total, fraudulent tax returns totaling $2.2 million were filed and around $1.7 million was dispersed by the IRS. The funds received were converted to Amazon gift cards, which were used to purchase high-value goods that were shipped to Venezuela.

Three of Johnson’s co-conspirators were arrested and charged for their roles in the UPMC cyberattack. In August 2016, Cuban national Yolandy Perex Llanes was extradited to the United States and pleaded guilty in April 2017 to money laundering and aggravated identity theft. He was sentenced in 2017 to 6 months of time served.

In April 2017, Justin A. Tollefson of Spanaway, Washington, a staff sergeant at Joint Base Lewis-McChord in Tacoma, Washington, pleaded guilty to four counts of using the stolen identities of UPMC employees to file fraudulent tax returns. He had purchased the PII on a dark web forum and used the data to file fraudulent tax returns in the names of four UPMC employees. $56,333 was paid by the IRS in income tax refunds, but Tollefson was arrested before he received any funds. The judge was lenient as Tollefson had not profited from the fraud and sentenced him in 2017 to 3 years of probation.

Maritza Maxima Soler Nodarse, a Venezuelan national, pleaded guilty to conspiracy to defraud the United States in July 2017 for her role in the identity theft and tax fraud crimes. She received a 16-month time-served sentence and was deported to Venezuela.

Johnson received the maximum sentence despite pleading guilty to the hacking charges due to the severity of the offenses and the impact they had on the lives of his victims. Chief United States District Judge Mark R, Hornak said Johnson’s behavior was like a “bulldozer” through people’s lives and his indiscriminate hacking activities showed no regard for his victims. “The actions of criminals like Justin Johnson can have long-lasting and devastating effects on the lives of innocent people,” said Yury Kruty, Acting Special Agent in Charge of IRS-Criminal Investigation.

Johnson was sentenced to serve 60 months in jail for the conspiracy to defraud the United States charge and a mandatory 24-month sentence for aggravated identity theft, with the sentences to run consecutively.

“Justin Johnson stole the names, Social Security numbers, addresses, and salary information of tens of thousands of UPMC employees, then sold that personal information on the dark web so that other criminals could further exploit his victims,” said Acting U.S. Attorney Kaufman. “Today’s sentence sends a deterrent message that hacking has serious consequences.”

The post UPMC Hacker Who Stole PII of 65,000 Employees Gets Maximum 7-Year Sentence appeared first on HIPAA Journal.

September 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

There was a 23.7% month-over-month increase in reported healthcare data breaches in September, which saw 47 data breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights. While that is more than 1.5 breaches a day, it is under the average of 55.5 breaches per month over the past 12 months.

Healthcare data breaches August 2020 to September 2021

While data breaches increased, there was a major decrease in the number of breached healthcare records, dropping 75.5% from August to 1,253,258 records across the 47 reported data breaches, which is the third-lowest total over the past 12 months.

Healthcare records breached over the past 12 months

Largest Healthcare Data Breaches Reported in September 2021

16 healthcare data breaches were reported in September 2021 that involved the exposure, theft, or impermissible disclosure of more than 10,000 healthcare records.

The largest breach of the month was reported by the State of Alaska Department of Health & Social Services. The breach was initially thought to have resulted in the theft of the personal and protected health information (PHI) of all state residents, although the breach was reported to the HHS as affecting 500,000 individuals. The cyberattack is believed to have been conducted by a nation-state hacking group.

Two major data breaches were reported by eye care providers: A hacking incident at U.S. Vision Optical resulted in the exposure of the PHI of 180,000 individuals, and a phishing incident at Simon Eye Management gave the attackers access to email accounts containing the PHI of 144,373 individuals. The breaches are not believed to be related, but they are two of a handful of recent incidents affecting eye care providers.

Ransomware continues to be extensively used in attacks on the healthcare industry. 6 of the top 16 attacks in September involved ransomware and potentially saw PHI stolen. Several ransomware gangs have targeted the healthcare sector, with the FIN12 group one of the most active. A recent analysis of FIN12 attacks by Mandiant revealed 20% of the gang’s attacks have been on the healthcare industry, with the attacks accounting for around 20% of all incidents Mandiant responds to.

Hackers have been targeting the healthcare industry, but data breaches can also be caused by insiders with privileged access to PHI. One notable ‘insider’ breach was reported by Premier Management Company and involved data being accessed by a former employee after termination. The incident highlights the importance of ensuring access to PHI (and IT systems) is blocked immediately when an employee is terminated, leaves the company, or when job functions change that no longer require an employee to have access to PHI.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
State of Alaska Department of Health & Social Services AK Health Plan 500,000 Nation-state hacking Incident
U.S. Vision Optical NJ Healthcare Provider 180,000 Unspecified hacking incident
Simon Eye Management DE Healthcare Provider 144,373 Email account breach (phishing)
Navistar, Inc. Health Plan and the Navistar, Inc. Retiree Health Benefit and Life Insurance Plan IL Health Plan 49,000 Ransomware attack
Talbert House OH Healthcare Provider 45,000 Unspecified hacking incident (data exfiltration)
Premier Management Company TX Healthcare Provider 37,636 PHI accessed by an employee after termination
Central Texas Medical Specialists, PLLC dba Austin Cancer Centers TX Healthcare Provider 36,503 Malware
Orlick & Kasper, M.D.’s, P.A. FL Healthcare Provider 30,000 Theft of electronic devices containing PHI
McAllen Surgical Specialty Center, Ltd. TX Healthcare Provider 29,227 Ransomware attack
Asarco Health, Dental, Vision, Flexible Spending, Non-Union Employee Benefits, and Retiree Medical Plans AZ Health Plan 28,000 Ransomware attack
Horizon House, Inc. PA Healthcare Provider 27,823 Ransomware attack
Rehabilitation Support Services, Inc. NY Healthcare Provider 23,907 Unspecified hacking incident (data exfiltration)
Samaritan Center of Puget Sound WA Healthcare Provider 20,866 Theft of electronic devices containing PHI
Directions for Living FL Healthcare Provider 19,494 Ransomware attack
Buddhist Tzu Chi Medical Foundation CA Healthcare Provider 18,968 Ransomware attack
Eastern Los Angeles Regional Center CA Business Associate 12,921 Email account breach (phishing)

Causes of September 2021 Healthcare Data Breaches

Hacking and other IT incidents continue to dominate the breach reports, accounting for 53.2% of all breaches reported in the month and 91.6% of all breached records. 1,147,383 healthcare records were exposed or stolen in those incidents, with an average breach size of 33,747 records and a median breach size of 2,453 records.

The number of incidents involving the theft of physical records or electronic equipment containing PHI increased month-over-month. September saw 6 theft incidents reported and 60,236 records compromised. The mean breach size was 10,039 records and the median breach size was 3,918 records. 4 of those breaches involved electronic equipment and could have been prevented had encryption been used.

There were 7 data breaches reported that involved unauthorized access or disclosures of data by insiders. 45,639 records were breached across those incidents, 37,636 of which were obtained in a single incident. The average breach size was 6,520 records and the median breach size was 1,738 records.

Causes of September 2021 healthcare data breaches

Given the high number of hacking and ransomware incidents reported, it is no surprise that the most common location of breached PHI is network servers. Email accounts continue to be targeted in phishing attacks, with 13 incidents in September involving PHI stored in email accounts. The number of devices containing PHI that were stolen highlights the importance of using encryption to protect stored data.

Location of PHI in September 2021 healthcare data breaches

September 2021 Data Breaches by HIPAA-Regulated Entity

Healthcare providers were the worst affected covered entity with 30 reported breaches. 10 breaches were reported by health plans, 6 breaches were reported by business associates, and one breach was reported by a healthcare clearinghouse.

5 breaches of those breaches were reported by a HIPAA-covered entity but occurred at a business associate. The adjusted figures are shown in the pie chart below.

September 2021 healthcare data breaches by HIPAA-regulated entity type

September 2021 Healthcare Data Breaches by State

Data breaches were reported by HIPAA-regulated entities based in 25 states. Texas was the worst affected state with 6 reported breaches of 500 or more records, followed by California with 5 breaches and Connecticut with 4.

State Breaches
Texas 6
California 5
Connecticut 4
Florida & Washington 3
Arizona, Georgia, Illinois, New York, Ohio, & Pennsylvania 2
Alaska, Delaware, Indiana, Kentucky, Maryland, Minnesota, Missouri, New Jersey, New Mexico, Oregon, Rhode Island, Tennessee, Virginia, & Wisconsin 1

HIPAA Enforcement Activity in September 2021

The Department of Health and Human Services’ Office for Civil Rights now has a new director, and it is currently unclear what direction she will take in the department’s HIPAA enforcement actions.

Since the fall of 2019 OCR has been targeting HIPAA-regulated entities that fail to comply with the HIPAA Right of Access and September saw the 20th financial penalty imposed under this initiative for the failure to provide individuals with access to their healthcare records.

Children’s Hospital & Medical Center in Omaha, NE, settled its HIPAA Right of Access case with OCR and paid an $80,000 financial penalty. This was the ninth OCR case this year to have resulted in a financial penalty for non-compliance with the HIPAA Rules.

There were no reported enforcement activities by state attorneys general in September.

The post September 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

American Osteopathic Association Notifies 27,500 Individuals About June 2020 Data Theft Incident

Posted by HIPAA Journal

Approximately 27,500 individuals are being notified that some of their personal information has been stolen in a cyberattack on the American Osteopathic Association (AOA). AOA is a Chicago-based professional organization that represents around 151,000 osteopathic physicians and medical students across the United States.

On June 25, 2020, the AOA identified suspicious activity within some of its systems. Its network was taken offline, and forensic investigators were engaged to determine the nature and scope of the incident. The investigation confirmed the attackers gained access to systems that contained personally identifiable information and exfiltrated data from those systems.

A comprehensive review of the files was conducted to determine which individuals had been affected. That review determined names, addresses, dates of birth, Social Security numbers, financial account information, and email addresses/usernames and passwords were in the exfiltrated data.

The AOA said its investigation did not uncover any evidence of actual or attempted misuse of the stolen data, but as a precaution against identity theft and fraud, affected individuals have been offered complimentary credit monitoring and identity theft protection services for 12 months.

It has taken more than 15 months from the discovery of the breach for affected individuals to be notified. The AOA said that like many organizations, the COVID-19 pandemic presented considerable challenges to its normal business operations. As a result of the pandemic, it took considerably longer for AOA to identify the names and addresses of the affected individuals. According to the AOA, this was “due to the pandemic’s impact on our staff’s working conditions, and their inability to be on location to identify all potentially impacted parties.” It took until June 1, 2021, for the total population of affected individuals and contact information to be identified.

According to the breach report submitted to the Maine Attorney General, notifications were sent to affected individuals on October 13, 2021.

The post American Osteopathic Association Notifies 27,500 Individuals About June 2020 Data Theft Incident appeared first on HIPAA Journal.

New Jersey Infertility Clinic Settles Data Breach Investigation with State and Pays $495,000 Penalty

Posted by HIPAA Journal

A New Jersey infertility clinic accused of violating HIPAA and New Jersey laws by failing to implement appropriate cybersecurity measures has settled the investigation with the state and will pay a $495,000 penalty.

Millburn, NJ-based Diamond Institute for Infertility and Menopause, LLC (Diamond) operates two healthcare facilities in New Jersey, one in New York, and provides consultancy services in Bermuda. Providing those services involves the collection, storage, and use of personal and protected health information (PHI).

Between August 2016 and January 2017, at least one unauthorized individual accessed Diamond’s network which contained the PHI of 14,663 patients, 11,071 of which were New Jersey residents.

As a HIPAA covered entity, Diamond is required to implement technical, physical, and administrative safeguards to ensure the confidentiality, integrity, and availability of PHI. Diamond is also subject to New Jersey laws and is similarly required to implement reasonable and adequate safeguards to protect medical data from unauthorized access.

Diamond Investigated for Compliance with Federal and State Laws

The State of New Jersey Department of Law and Public Safety Division of Consumer Affairs investigated Diamond over the data breach to determine compliance with federal and state laws. The investigation revealed Diamond had entered into a support contract with the managed service provider (MSP) Infoaxis Technologies in 2007, which including security and information technology services including maintaining its third-party server and workstations. The service agreement included third-party software for the management and reporting of audit logs intended to interpret triggers for event alerts.

Around March 2014, Diamond downgraded its support package with the MSP, resulting in a reduction in the services provided, although Diamond maintains there was no reduction in services between the two support agreements other than the amount of time included for on-site support services.

Prior to the breach occurring, Diamond’s HIPAA Privacy and Security Officer used a Remote Desktop Protocol (RDP) service with a VPN to access the Diamond network, but because the VPN was blocked from the Bermuda office, the MSP provided a different method of access that involved opening a port in the firewall to allow RDP access, instead of using the VPN for authentication.

Between August 28, 2016 and January 14, 2017, a workstation in the Millburn office was accessed by an unauthorized individual on several occasions from a foreign IP address. The unauthorized access was detected and blocked on January 14, 2017. During the time the workstation was accessible, data on the device was not encrypted. The intruder therefore potentially accessed patient data including names, dates of birth, Social Security numbers, and medical record numbers.

An investigation into the breach also revealed an intruder accessed Diamond’s third-party server which housed its electronic medical records within a password-protected SQL server using two compromised Diamond user accounts that had weak passwords. The investigation revealed weak security settings were in place for failed login attempts and password expiration.

While the EMR data was not compromised, the intruder was able to access PHI such as test results, ultrasound images, and clinical and post-operative notes. Diamond’s investigation was unable to confirm how access to the network was gained.

Multiple HIPAA Violations Uncovered

The state investigation into the data breach revealed business associate agreements were not in place prior to sharing ePHI with three business associates: Infoaxis, BMedTech, and Igenomix, in violation of the HIPAA Rules. Diamond was also alleged to have violated the CFA, HIPAA Security Rule, and HIPAA Privacy Rule by removing administrative and technological safeguards protecting PHI and ePHI, which allowed unauthorized individuals to gain access to its systems and ePHI for around five and a half months.

The CFA violations included misrepresentation of HIPAA practices in its privacy and security policy, a failure to secure its network leading to a data breach, and unconscionable commercial practices.

The settlement agreement lists failures to comply with twenty-nine provisions of the HIPAA Privacy and Security Rules. Alleged violations include the failure to conduct a comprehensive risk assessment, failure to encrypt ePHI, failure to modify security measures to ensure reasonable protections for ePHI were maintained, failure to implement procedures for creating, changing, and modifying passwords, and a failure to verify the identify of individuals seeking access to ePHI.

Diamond disputes many of the claims made by the state but agreed to settle the case and pay a $495,000 financial penalty, which consists of $412,300 in civil penalties and $82,700 in investigation fees.

“Patients seeking fertility treatment rightly expect their healthcare providers to protect their privacy,” said Acting Attorney General Bruck. “Major cybersecurity lapses like the ones leading up to this data breach are unacceptable. Today’s settlement sends the message that such privacy lapses come with significant consequences.”

In addition to the financial penalty, Diamond is required to implement additional measures to improve data security, including the use of encryption to prevent unauthorized access to ePHI, implementing a comprehensive information security program, appointing a new HIPAA officer, providing additional training to staff on security policies, developing a written incident response plan, and improving logging, monitoring, access controls, password management, and implementing a risk assessment program.

“Inadequate data systems and protocols are every hacker’s dream,” said Division of Consumer Affairs Acting Director Sean P. Neafsey. “Companies that fail to comply with basic security requirements are an easy target, and we will not stand by as they violate our laws and expose clients’ sensitive information and make them vulnerable to identity theft.”

The post New Jersey Infertility Clinic Settles Data Breach Investigation with State and Pays $495,000 Penalty appeared first on HIPAA Journal.

Cybersecurity Awareness Month: Fight the Phish!

Posted by HIPAA Journal

According to the Verizon Data Breach Investigations Report, phishing accounted for around 80% of all reported phishing attacks in 2019 and since the pandemic began in 2020 phishing attacks and associated scams have been thriving. In 2020, 74% of US organizations experienced a successful phishing attack.

Phishing attacks typically use emails or malicious websites – or both – to obtain sensitive information such as login credentials or to infect devices with malware and viruses. Phishing attacks involve a lure to get the recipient to take a certain action, such as clicking on a hyperlink in an email or opening a malicious email attachment. Email addresses, sender names, phone numbers, and website URLs are often spoofed to trick people into believing they are interacting with a familiar and trusted source.

The 2021 Cost of Phishing Study conducted by the Ponemon Institute/Proofpoint suggests the cost of phishing attacks has quadrupled over the past 6 years, with large U.S. firms now losing an average of $14.83 million a year to phishing attacks. An average-sized U.S. company employing 9,567 people, loses around 63,343 hours every year to phishing attacks, with the cost equating to around $1,500 per employee.

Phishing is the starting point of the costliest cyberattacks. In 2020, more than $1.8 billion was fraudulently obtained in Business Email Compromise (BEC) attacks, with the average cost of a BEC attack now $5.97 million. Phishing is often the starting point of ransomware attacks, which can have mitigation costs of the order of tens of millions of dollars. On average, an attack costs $996,000 to resolve.

Phishing may be the most common way for cybercriminals to gain access to email accounts, networks, and sensitive data, but these attacks can easily be prevented with the right technology and user training.

Organizations need to implement email security gateways/spam filtering solutions for all email accounts. This technical measure alone will prevent the majority of phishing emails from arriving in inboxes. Antivirus software and firewalls should be used to protect all endpoints, including computers, phones, tablets, and Internet of Things devices. These solutions should be regularly updated, ideally automatically.

Multi-factor authentication should be used on all accounts that require passwords to login. In the event of a password being obtained in a phishing attack, multi-factor authentication will prevent the password from providing access to the user’s account. Microsoft explained in a 2019 blog post that multi-factor authentication blocks more than 99.9% account compromise attacks.

Employees are the last line of defense in an organization, so it is vital for security awareness training to be provided. Employees need to be taught cybersecurity best practices to eradicate risky behaviors and must learn how to identify and avoid phishing attacks.

Employees should be made aware of the red flags in phishing emails such as call outs to open attachments or click links, unusual wording and formatting, spelling and grammatical errors, threats of negative consequences if rapid action is not taken, and too good to be true offers. If any red flags are identified, it is vital to verify the source of the email or text message and to make content with the sender to confirm a request is authentic. Employees should be conditioned to stop and think before taking any action requested in an email or text message and never to respond, open attachments, or click links in messages if there is any doubt about the sender or request.

According to Verizon, “There is some cause for hope in regard to phishing, as click rates from the combined results of multiple security awareness vendors are going down.” In 2012, phishing email click rates were around 25% but by 2019 they had fallen to around 3% as a result of improved awareness of phishing and more extensive end user training.

Given the scale of the threat from phishing, once-a-year security awareness training sessions are no longer sufficient. While annual training may meet the minimum requirement for compliance with HIPAA, it is not sufficient to reduce the risk of a successful attack to low and acceptable level. Security awareness training for the workforce needs to be an ongoing process, with regular training provided throughout the year accompanied by phishing simulation exercises where the phishing identification skills of employees are put to the test. Through training and phishing simulation exercises, susceptibility to phishing attacks can be greatly reduced.

CISA has produced a tip sheet for Cybersecurity Awareness Month to help individuals fight the phish.

The post Cybersecurity Awareness Month: Fight the Phish! appeared first on HIPAA Journal.

Insider Threat Self-Assessment Tool Released by CISA

Posted by HIPAA Journal

Public and private sector organizations have a new tool to help them assess their level of vulnerability to insider threats. The new Insider Threat Risk Mitigation Self-Assessment Tool has been created by the Cybersecurity and Infrastructure Security Agency (CISA) to help users further their understanding of insider threats and develop prevention and mitigation programs.

In healthcare, security efforts often focus on the network perimeter and implementing measures to block external threats, but insider threats can be just as damaging, if not more so. Insiders can steal sensitive information for financial gain, can take information to provide to their next employer, or can abuse their privileged access to cause significant harm.

Insider breaches can have major consequences for businesses, with may include reputation damage, loss of revenue, theft of intellectual property, reduced market share, and even physical harm. CISA says insider threats can include current and former employers, contractors, or other individuals with inside knowledge about a business. The threat posed by insiders can be considerable due to the knowledge those individuals have about a business and the fact they are trusted and have privileged access to systems and sensitive data.

Large organizations are likely to have conducted risk assessments and put measures in place to mitigate insider threats. Small- and medium-sized businesses tend to have limited resources and may not have assessed their risk level and are most likely to benefit from using the new tool.

The tool consists of a series of questions that will establish the level of vulnerability to insider threats and will provide feedback to users to help them develop appropriate mitigations to guard against insider threats and reduce risk to a low and acceptable level.

“CISA urges all our partners, especially small and medium businesses who may have limited resources, to use this new tool to develop a plan to guard against insider threats.  Taking some small steps today can make a big difference in preventing or mitigating the consequences of an insider threat in the future,” said CISA Executive Assistant Director for Infrastructure Security David Mussington.

The post Insider Threat Self-Assessment Tool Released by CISA appeared first on HIPAA Journal.

Cybersecurity Awareness Month: Do Your Part, #BeCyberSmart

Posted by HIPAA Journal

October is Cybersecurity Awareness Month; a full month where the importance of cybersecurity is highlighted, and resources are made available to help organizations improve their security posture through the adoption of cybersecurity best practices and improving security awareness of the workforce.

Cybersecurity Awareness Month was launched by the National Cyber Security Alliance and the United States Department of Homeland Security in 2004 to raise awareness of the importance of cybersecurity. Each year has a different theme, although the overall aim is the same – To empower individuals and the organizations they work for to improve cybersecurity and make it harder for hackers and scammers to succeed.

The month is focused on improving education about cybersecurity best practices, raising awareness of the digital threats to privacy, encouraging organizations and individuals to put stronger safeguards in place to protect sensitive data, and highlighting the importance of security awareness training.

This year has the overall theme – “Do Your Part, #BeCyberSmart” – and is focused on communicating the importance of everyone playing a role in cybersecurity and protecting systems and sensitive data from hackers and scammers. Throughout the month, the National Cyber Security Alliance and its partners will be running programs to raise awareness of specific aspects of cybersecurity, with each week of the month having a different theme.

  • Week of October 4 (Week 1): Be Cyber Smart.
  • Week of October 11 (Week 2): Phight the Phish!
  • Week of October 18 (Week 3): Explore. Experience. Share.
  • Week of October 25 (Week 4): Cybersecurity First

Cybersecurity Awareness month kicks off with the theme of “Be Cyber Smart” in week 1, where cybersecurity best practices are highlighted to protect the vast amounts of personal and business data that are stored on Internet-connected platforms.

“This evergreen theme encourages individuals and organizations to own their role in protecting their part of cyberspace, stressing personal accountability and the importance of taking proactive steps to enhance cybersecurity,” said the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

Best practices being highlighted in week 1 are those that businesses and individuals should be implementing. They include always creating strong passwords, implementing multi-factor authentication on accounts, keeping software updated and patching promptly, and creating backups to ensure data can be recovered in the event of a ransomware attack or other destructive cyberattack.

“Since its inception, Cybersecurity Awareness Month has elevated the central role that cybersecurity plays in our national security and economy.  This Cybersecurity Awareness Month, we recommit to doing our part to secure and protect our internet-connected devices, technology, and networks from cyber threats at work, home, school, and anywhere else we connect online,” said, President Biden in a White House statement announcing the start of Cybersecurity Awareness Month. “I encourage all Americans to responsibly protect their sensitive data and improve their cybersecurity awareness by embracing this year’s theme: “Do Your Part.  Be Cyber Smart.”

Each week this month, HIPAA Journal will share information and resources based on the theme of the week that can be used to raise awareness of cybersecurity in your organization and improve your resilience to cyberattacks and privacy threats.

Be Cyber Smart – Your Role in Cybersecurity

Cybersecurity Basics – How to Secure Your Online Life

CISA – Cybersecurity Awareness Tip Sheets

The post Cybersecurity Awareness Month: Do Your Part, #BeCyberSmart appeared first on HIPAA Journal.

Lisa J. Pino Named New Director of HHS’ Office for Civil Rights

Posted by HIPAA Journal

OCR Director, Lisa J. Pino

Lisa J. Pino has been named Director of the Department of Health and Human Services’ Office for Civil Rights (OCR) and replaces Robinsue Frohboese, who has served as acting OCR Director since President Trump-appointed Roger Severino resigned from the post in mid-January.

OCR is the main enforcer of compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, the Patient Safety and Quality Improvement Act, and Patient Safety Rule, as well as as well as enforcing federal civil rights, conscience and religious freedom laws.

Pino is from New York City, a fluent Spanish speaker, and the first-generation daughter of immigrant parents. She completed a B.A., M.A., and J.D. at Arizona State University with honors, and Harvard Kennedy School leadership program as a National Hispana Leadership Institute Fellow.

Pino has served as legal aid attorney in the Southwest, fighting to protect the rights of migrant farm workers. Her civil rights activities carried on while working for the United States Department of Agriculture (USDA) where she served as USDA Deputy Administrator of the Supplemental Nutrition Assistance Program (SNAP) and USDA Deputy Assistant Secretary for Civil Rights.

While at the USDA, Pino drafted and championed USDA’s first gender identity anti-discrimination program regulation along with its first USDA limited English proficiency guidance. Pino played a key role in ensuring minority farmers had access to benefits awarded through class action settlements through her direction of USDA’s outreach and engagement activities.

Pino is a former senior executive service who was also appointed by President Barack Obama and served at the U.S. Department of Homeland Security (DHS) as Senior Counselor. There she played a key role in the mitigation of the largest federal data breach in history, the 2015 hacking of the data of 4 million federal personnel and 22 million surrogate profiles, by renegotiating 700 vendor procurements and establishing new cybersecurity regulatory protections.

Most recently, Pino served as Executive Deputy Commissioner of the New York State Department of Health, the agency’s second-highest executive position. During her time in the role, Pino spearheaded the state’s operational response to the COVID-19 pandemic and programming for Medicaid, Medicare, Nutrition Program for Women, Infants, and Children (WIC), Hospital and Alternative Care Facility, Wadsworth Laboratories, Center for Environmental Health, Center for Community Health, and AIDS Institute.

“Lisa is an exceptional public servant, and I am delighted to welcome her to the role of the Director of the Office for Civil Rights at HHS,” said HHS Secretary Xavier Becerra. “Her breadth of experience and management expertise, particularly her hand in advancing civil rights regulations and policy at the U.S. Department of Agriculture (USDA) during the Obama-Biden Administration, will help ensure that we protect the rights of every person across the country as we work to build a healthier America.”

The post Lisa J. Pino Named New Director of HHS’ Office for Civil Rights appeared first on HIPAA Journal.