Healthcare Data Security

Only One in Five Organizations Follow the 3-2-1 Rule for Data Backups

The healthcare industry is an attractive target for cybercriminals and data thieves. Healthcare organizations store vast amounts of sensitive data that can be easily monetized. Large health systems are often targeted due to the high ransoms that can be demanded, as the recent attack on CommonSpirit Health demonstrated; however, attacks are conducted on healthcare organizations of all sizes. The ransomware remediation firm, Coveware, reported earlier this year that 82% of ransomware attacks in 2021 occurred at firms with fewer than 1,000 employees.

Healthcare providers are heavily reliant on access to data, which makes them a prime target for ransomware gangs. When data is rendered unavailable, that naturally has an impact on business operations and causes considerable financial losses, and threatens patient safety. Without access to EHRs and medical histories, healthcare organizations are left with little alternative but to cancel appointments. Fast recovery of data is essential, which is why many healthcare organizations choose to pay the ransom to try to accelerate the data recovery process.

Ransomware gangs encrypt data and also seek to encrypt or delete backups to ensure that important data cannot be recovered without paying the ransom. In 2020, the University of California, San Francisco (UCSF) was targeted by the NetWalker ransomware gang – a ransomware-as-a-service (RaaS) operation that has no qualms about conducting attacks on medical and healthcare targets.

In the attack, the gang succeeded in encrypting data on the servers used by its School of Medicine. UCSF had data protection measures in place, but they proved to be inadequate and did not allow data to be recovered. UCSF was left with little alternative other than paying a $1.14 million ransom for the keys to recover their data.

In order to be able to recover quickly from a ransomware attack, healthcare organizations need to be proactive and develop, implement and test a security incident response plan. The HHS’ Office for Civil Rights recently communicated the importance of security incident planning and an effective data backup strategy in its October 2022 Cybersecurity Newsletter.

Only One in Five Organizations Follow the 3-2-1 Rule for Data Backups

Following a ransomware attack, a decision will need to be made about whether to pay the ransom. There is no guarantee that paying the ransom will see stolen data deleted and not further disclosed, and in 2021, only 8% of companies were able to recover all of their data after paying the ransom. The decision whether or not to pay the ransom will be based on several factors, but what limits options more than anything else is not having access to backups.

Healthcare organizations must ensure backups are made of all data to ensure that in the event of any disaster, a viable backup is available that allows data to be restored. However, many organizations fail to follow best practices for data backups and only discover after an attack that their backup procedures are insufficient. Backups naturally need to be made and stored on systems that are not accessible from the systems on which the data resides, as if that system is compromised, the attackers will also have access to the backups. Many healthcare organizations rely on the cloud for storing backup data securely offsite. Using the cloud for storing backups has its advantages; however, it is important not to rely totally on cloud storage. Backing up data in one place leaves organizations vulnerable to data breaches and data loss, and ransomware gangs often target cloud storage services.

When it comes to backing up data, the best practice is to follow the 3-2-1 rule, which involves creating a minimum of three backups of data, in at least 2 different locations, with one of those copies stored securely off-site. The three backups consist of the primary backup and at least two copies. Despite this being the best practice, a recent survey conducted by Apricorn for its 2022 Global IT Security Report has revealed many organizations are failing to follow this best practice. The survey revealed fewer than one in five organizations were following the 3-2-1 rule.

The survey revealed only 18% of organizations were following the 3-2-1 rule for backups, with only one in three organizations backup data in the cloud and on an encrypted hardware storage device. While 72% of respondents said they back up data daily, only 18% said they back up data in real time. Even if backups can be used to restore data, up to a day’s worth of that data will be lost without real-time backups.

“Currently less than one in five organizations follow the 3-2-1 rule. Yet it is vital that online and offline storage go hand in hand. Of course, the benefits of creating backups are significantly diminished if you can’t leverage them effectively in critical moments,” said Kurt Markley, U.S. Managing Director at Apricorn. “A playbook should therefore be developed that outlines the process of performing data backup – who is involved, which programs and products need to be used, and the location of the backups. It should also include the procedure for testing, reviewing, and updating the process. Should any staff be absent in the event of an attack, or critical cogs in the recovery chain leave the company, the firm will still retain a step-by-step guide enabling them to respond effectively”

The survey also explored how the move to remote working has affected security. According to the survey, 80% of surveyed organizations said they developed remote working policies in response to the pandemic, with four out of five organizations having now revised the security policies and practices that were hastily put in place to quickly accommodate the move to remote working.

56% of respondents said they have reinvested in reinforcing education about security practices, yet worryingly, out of the IT professionals surveyed, 72% said their employees fail to view themselves as a target that cybercriminals would try to exploit to gain access to company data. The most common reasons given were a perception that they were either too small a target or that they were adequately protected.

The post Only One in Five Organizations Follow the 3-2-1 Rule for Data Backups appeared first on HIPAA Journal.

CISA Director Encourages All Organizations to Adopt FIDO Authentication

In a recent blog post, Jen Easterly, the Director of the Cybersecurity and Infrastructure Security Agency (CISA) explained that for Cybersecurity Awareness Month she has been traveling the country promoting cybersecurity best practices, explaining the steps that everyone can take to stay safe online, and stressing the importance of enabling multi-factor authentication on email accounts, bank accounts, social media accounts, and any other accounts that contain sensitive data. “Enabling multi-factor authentication is the single most important thing Americans can do to stay safe online,” said Easterly.

When multi-factor authentication is enabled, a username and password are no longer sufficient to gain access to an account. An additional factor must be provided before access to the account is granted. This security measure is important, as passwords may be guessed or stolen, and phishing and brute force attacks are increasing. Despite MFA being an important security feature that can prevent unauthorized account access, MFA has still not been widely adopted. Many vendors make multi-factor authentication a consumer choice, rather than making it the default option. Easterly believes vendors should “forcefully nudge” consumers into configuring multi-factor authentication for their accounts.

Easterly suggests vendors should take note of the auto industry campaigns in the late 20th century that encouraged drivers to wear seatbelts and apply similar tactics to increase the adoption of MFA – which she says is the “seatbelt of the information highway.” Vendors should also build MFA into their products at the design stage, rather than MFA being an aftermarket add-on, and ensure that they provide their users with a complete MFA feature set. She also suggests vendors should publish MFA uptake numbers, especially for high-privilege accounts.

In her blog post, Easterly explained that one top vendor has reported that only around one-quarter of its enterprise customers have implemented multi-factor authentication, and more worryingly, only one-third of system administrators have MFA enabled on their accounts. “We can’t improve what we don’t measure,” said Easterly. “Simply put, we need better visibility into MFA adoption.”

Easterly explained that any form of multi-factor authentication is better than no multi-factor authentication; however, not all forms of MFA provide the same level of protection, and some forms of MFA are not resistant to phishing attacks. Recently phishing campaigns have been conducted that are able to bypass traditional forms of MFA such as one-time codes sent to cell phones, push notifications, and authenticator apps. Attacks that are capable of bypassing traditional MFA protections are only likely to increase.

Fortunately, there are alternative forms of MFA that provide far greater protection. “A group of companies formed the FIDO Alliance to create a phishing-resistant form of MFA,” said Easterly. “They’ve been able to bake FIDO protocols into the operating systems, browsers, phones, and tablets that you already own. And FIDO is supported on dozens of online services. Organizations large and small are starting pilots and even completing their rollout to all staff.”

Easterly says FIDO MFA is the gold standard and the only widely available phishing-resistant authentication and urges all CEOs to ensure that FIDO authentication is on their organization’s MFA implementation roadmap.

The post CISA Director Encourages All Organizations to Adopt FIDO Authentication appeared first on HIPAA Journal.

September 2022 Healthcare Data Breach Report

63 data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights in September, bringing an end to the downward trend in data breaches seen over the previous three months. September’s total was above the 12-month average of 59 breaches a month, with data breaches being reported at a rate of more than 2 per day. In 2017, data breaches were being reported at a rate of one per day.

healthcare data breaches in the past 12 months - September 2022

While the number of reported data breaches increased by 28.6% month-over-month, for the third consecutive month the number of breached records decreased, with 2,440,434 records breached across the 63 reported incidents. September’s total was well below the 12-month average of 3,481,033 breached records a month. Breached healthcare records in the past 12 months

So far in 2022, 31,705,618 patient records have been exposed or impermissibly disclosed.

The Largest Healthcare Data Breaches Reported in September

30 data breaches of 10,000 or more patient records were reported to the HHS’ Office for Civil Rights in September 2022, all but one of which were hacking/IT incidents. The largest data breach involved the records of more than 542,000 patients of the Wolfe Clinic in Iowa and occurred at its electronic health record provider Eye Care Leaders. The attack saw database and system configuration files deleted. More than 3.6 million individuals were affected by the data breach.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
Wolfe Clinic, P.C. IA Healthcare Provider 542,776 Hacking incident at its EHR provider (Eye Care Leaders)
Empress Ambulance Service LLC NY Healthcare Provider 318,558 Ransomware attack
Cytometry Specialists, Inc. d/b/a CSI Laboratories GA Healthcare Provider 244,850 Business email compromise (BEC) attack
FMC Services, LLC TX Healthcare Provider 233,948 Hacked network server
Physician’s Business Office, Inc. WV Business Associate 196,673 Hacked network server
Providence WA Anesthesia Services PC NY Healthcare Provider 98,643 Hacked network server at management company
Medical Associates of the Lehigh Valley PA Healthcare Provider 75,628 Ransomware attack
Dyersburg Family Walk-In Clinic, LLC (Reelfoot Family Walk-In Clinic) TN Healthcare Provider 58,562 Hacked network server (data theft confirmed)
Palm Springs Anesthesia Services PC NY Healthcare Provider 58,513 Hacked network server at management company
Reiter Affiliated Companies, LLC CA Business Associate 48,000 Ransomware attack at a business associate
Reiter Affiliated Health and Welfare Plan CA Health Plan 45,000 Ransomware attack
Anesthesia Services of San Joaquin PC NY Healthcare Provider 44,015 Hacked network server at management company
Anesthesia Associates of El Paso PA NY Healthcare Provider 43,168 Hacked network server at management company
The Physicians’ Spine and Rehabilitation Specialists of Georgia, P.C. GA Healthcare Provider 38,765 Hacked network server
Country Doctor Community Clinic WA Healthcare Provider 38,751 Hacked network server
Resource Anesthesiology Associates PC NY Healthcare Provider 37,697 Hacked network server at management company
Lubbock Heart & Surgical Hospital TX Healthcare Provider 23,379 Hacked network server
Genesis Health Care, Inc. SC Healthcare Provider 21,226 Hacked network server
Resource Anesthesiology Associates of IL PC NY Healthcare Provider 18,321 Hacked network server at management company
Bronx Anesthesia Services PC NY Healthcare Provider 17,802 Hacked network server at management company
Resource Anesthesiology Associates of CA A Medical Corporation CA Healthcare Provider 16,001 Hacked network server at management company
Monroe Ear Nose and Throat Associates, PC MI Healthcare Provider 14,500 Hacked network server hosting EHRs
Magellan Rx Management MD Business Associate 13,663 Hacked network server
Hazleton Anesthesia Services PC NY Healthcare Provider 13,607 Hacked network server at management company
Riverside Medical Group NJ Healthcare Provider 12,499 Hacked legacy server containing EHRs
Anesthesia Associates of Maryland LLC MD Healthcare Provider 12,403 Hacked network server at management company
Northern California Fertility Medical Center CA Healthcare Provider 12,145 Ransomware attack
Neurology Center of Nevada NV Healthcare Provider 11,700 Hacking incident involving EHRs
Dr. Alexander J. Richardson, DPM OH Healthcare Provider 11,300 Hacking incident involving EHRs
WellMed Medical Management TX Healthcare Provider 10,506 A physician took records to his new practice

Causes of September 2022 Data Breaches

As is now the norm, the majority of the month’s data breaches were categorized as hacking/IT incidents, which include hacking, ransomware and malware attacks, phishing attacks, and misconfigured databases and cloud resources.

Causes of September 2022 healthcare data breaches

52 breaches – 82% of the month’s total – were hacking/IT incidents, which resulted in the exposure and/or theft of the records of 2,410,654 individuals. The average breach size was 46,359 records and the median breach size was 12,274 records. These incidents accounted for 98.78% of all records breached in September.

Ransomware is commonly used in attacks on hospitals to prevent access to business-critical files and patient records. These attacks typically involve data theft prior to file encryption with the attackers threatening to sell or publish the stolen data if the ransom is not paid. Several threat actors have now dispensed with the file encryption and are just stealing data and demanding payment to prevent its sale or release. That makes the attacks quicker and easier for the attackers and ransoms are still often paid. These extortion-only attacks have been increasing in recent months.

There were 7 reported unauthorized access/disclosure incidents reported, which include unauthorized access by employees, misdirected emails, and mailing errors. Across the 7 breaches, the records of 24,639 individuals were impermissibly disclosed. The average breach size was 3,250 records and the median breach size was 1,359 records.

There were 4 data breaches reported that involved the loss or theft of electronic devices that contained individually identifiable protected health information. Those devices contained 5,141 records. The average breach size was 1,285 records and the median breach size was 1,207 records. These incidents could have been avoided had data on the devices been encrypted.

The number of email-related data breaches is below the levels normally seen, with just 7 email data breaches reported. However, data from the ransomware remediation firm Coveware suggests email is still the most common way that threat actors gain access to networks in ransomware attacks. One of the largest data breaches reported this month – at CSI Laboratories – saw threat actors gain access to email accounts containing the records of almost 245,000 individuals. The email account was then used in a business email compromise attack to try to reroute CSI customer healthcare provider payments.

locatioon of PHI in september 2022 healthcare data breaches

HIPAA-Regulated Entities Affected by Data Breaches

Healthcare providers were the worst affected entity in September with 46 data breaches reported, with 10 breaches reported by business associates and 7 breaches reported by health plans. Healthcare providers and health plans often choose to report breaches at business associates themselves, as was the case in 7 data breaches at business associates in September. The pie chart below reflects this and shows where the data breaches actually occurred.

September 2022 healthcare data breaches - entities reporting

Healthcare Data Breaches by State

HIPAA-regulated entities in 22 states reported data breaches in September. New York was the worst affected state with 15 breaches reported. 13 of the breaches were reported by providers of anesthesia services – The breach actually occurred at their management company.

State Breaches
New York 15
California 8
Tennessee & Washington 5
Florida & Texas 4
Georgia 3
Indiana, Maryland, New Jersey, & Pennsylvania 2
Colorado, Connecticut, Iowa, Michigan, Montana, Nebraska, Nevada, Ohio, Rhode Island, South Carolina, & Wisconsin 1

HIPAA Enforcement Activity in September

The HHS’ Office for Civil Rights agreed to settle HIPAA violations with three healthcare providers in September. All three of the settlements resolved violations of the HIPAA Right of Access, where patients were not provided with timely access to their medical records. All three cases were investigated by OCR after patients filed complaints that they had not been provided with their requested medical records. Great Expressions Dental Center of Georgia was also discovered to have overcharged a patient for providing a copy of her medical records.

Great Expressions Dental Center of Georgia, P.C. settled its case for $80,000, Family Dental Care, P.C. settled its case for $30,000, and B. Steven L. Hardy, D.D.S., LTD, dba Paradise Family Dental, settled its care for $25,000,  All three settlements involved a corrective action plan to address the areas of non-compliance.

OCR has now imposed 20 financial penalties on HIPAA-regulated entities to resolve HIPAA violations so far this year – more than any year to date.

The post September 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

CommonSpirit Health Confirms System Outages Caused by Ransomware Attack

On October 3, 2022, CommonSpirit Health experienced a data security incident that forced it to take systems offline, including its electronic medical record (EHR) and other critical IT systems. These steps were taken to protect systems from damage, contain the breach, and prevent unauthorized access to sensitive data. CommonSpirit Health issued a statement on October 4, 2022, that provided a brief explanation of the incident, stating there was an IT issue that was being investigated that had resulted in system outages at some of its hospitals and care facilities. CommonSpirit Health is one of the nation’s largest health systems and is the second-largest non-profit health system in the United States, consisting of around 1,500 clinics and hospitals in 21 states. CommonSpirit Health was formed by the merger of CHI Health and Dignity Health in 2019.

Soon after the incident, hospitals and other care facilities across the United States started to confirm that they had been affected, with it clear that this incident was having an impact nationwide. Several CHI Health facilities confirmed they had been affected and were operating under emergency procedures due to the lack of access to essential IT systems. Hospitals in Iowa, Illinois, Nebraska, Tennessee, and Washington all stated that the incident has affected them.

CHI Health issued a statement confirming the incident at CommonSpirit Health was having an impact and some CHI Health facilities, and that as a precautionary step, some of its systems were taken offline. Due to patient safety concerns, the decision was taken to cancel, postpone, or reschedule some patient appointments and procedures, access to the patient portal was temporarily suspended, and offline procedures were being followed for processing and managing prescription medications.

These measures were necessary to contain the attack and prevent damage to systems; however, they are having a significant impact on patients, who face delays in receiving medical care. Many are also struggling to get the medications they need to manage their health conditions. MercyOne, the operator of 230 healthcare facilities in Iowa, said the incident took its online scheduling system offline, which has prevented the system from being used to schedule online appointments in Central Iowa.

Several individuals claiming to be employees and patients of CommonSpirit Health have taken to social media sites to voice their concerns. Patients have claimed they have been unable to obtain medical care and prescriptions, including medications for managing cancer at home. Individuals claiming to be employees have explained that it has been a nightmare for staff due to having to work with paper charts. One nurse took to Reddit to explain that staff at the hospital have been unable to access the Downtime Epic EHR system to see patient histories, with the pharmacy unable to verify orders and having to handwrite labels, with labs having to be handwritten and faxed. It has now been 11 days since the attack and the disruption is still being experienced with IT systems still offline.

Ransomware Attack Confirmed

No details were initially released about the exact nature of the incident, although security researcher Kevin Beaumont said on Twitter shortly after the attack that the incident response chatter he had heard made it clear that this was a ransomware attack. That has now been confirmed by CommonSpirit Health. HIPAA Journal has not been able to establish at this stage which group is responsible for the attack.

CommonSpirit Health said in a recent update that the incident is an ongoing situation and the response is being managed, with assistance provided by leading cybersecurity specialists. Law enforcement, the Department of Health and Human Services, and other authorities have also been notified about the attack and are providing support.

CommonSpirit Health said that throughout the response, the priority has been to continue to provide the highest quality of care to its patients and ensure patient safety. A forensic investigation is underway to determine the extent of the attack and reviews are being conducted of its systems to determine if there has been any data impact. That process could take some time and further information will be made available when conclusions have been drawn from the investigation.

CHI Health facilities have been affected and are still facing disruption. CommonSpirit Health said it is working hard to bring systems back online safely and will restore functionality as fast as possible. CommonSpirit Health has confirmed that there has been a minimal impact on the systems used by Dignity Health and Virginia Mason Medical Center.

The post CommonSpirit Health Confirms System Outages Caused by Ransomware Attack appeared first on HIPAA Journal.

25% of Healthcare Organizations Said a Ransomware Attack Forced Them to Completely Halt Operations

Ransomware attacks continue to plague the healthcare industry. The attacks disrupt operations due to essential IT systems being taken offline, the lack of access to electronic health records causes patient safety issues, and it is common for emergency patients to be redirected to other facilities immediately after attacks and for appointments to be postponed.

Recently, cybersecurity firm Trend Micro conducted a study to investigate the impact ransomware attacks are having on healthcare organizations. The survey was conducted on 145 business and IT decision-makers in the sector, with a more extensive global study on the ransomware threat conducted by Sapio Research on 2,958 IT security decision-makers in 26 countries.

Trend Micro reports that 25% of all data breaches now involve ransomware. Between 2017 and 2021, ransomware attacks increased by 109%, and 2022 has seen a 13%  year-over-year increase in attacks. These attacks are having a major impact on healthcare organizations, which have been actively targeted by several ransomware gangs.

57% of healthcare organizations said they had experienced a ransomware attack at some point in the past 3 years. 86% of healthcare organizations that suffered a ransomware attack suffered operational outages as a direct result of the attack, with 25% of organizations that experienced an attack forced to completely halt operations. 60% said that some business processes were disrupted due to the attack.

The recovery time from these attacks can be considerable, with healthcare organizations continuing to face disruption to their services for extended periods. 56% of organizations represented in the survey said it took several days to recover from the attack, with almost a quarter (24%) saying it took weeks to fully restore operations after an attack.

Data theft is now common in ransomware attacks, with threats issued to publish or sell the stolen data if the ransom is paid. This tactic has proven so successful that some cybercriminal groups have abandoned ransomware altogether and now just steal data and threaten to publish if payment is not made. 60% of responding organizations said sensitive data was stolen and leaked by the attackers, with the data theft and leakage leading to reputational damage, compliance risks, and increasing the investigation, remediation, and clean-up costs.

The research indicates healthcare organizations have been taking proactive steps to counter the threat and improve their defenses. 95% of responding organizations said they are patching promptly to address software vulnerabilities, 91% have implemented additional controls to prevent malicious email attachments from being delivered, and adoption of advanced detection and response tools for their network (NDR) and endpoints (EDR) is growing, as is the use of extended detection and response (XDR) solutions.

There is also considerable concern about supply chains. 43% of respondents said their partners have made them more attractive targets for attacks, 43% said they lack visibility across the ransomware attack chain which is making them more vulnerable, and 36% said the lack of visibility across attack surfaces which has made them a bigger target.

However, the survey revealed several security gaps. For instance, 17% of respondents did not have any remote desktop controls in place, despite RDP vulnerabilities commonly being exploited to gain initial access to healthcare networks. There is considerable room for improvement concerning threat intelligence sharing, with 30% admitting to not sharing threat intelligence with partners, 46% do not share threat information with suppliers or the broader ecosystem, and one-third (33%) said they do not share any information with law enforcement.

Only 51% of organizations use NDR, 50% use EDR, and 43% use XDR, with only 46% of organizations monitoring for living-of-the-land techniques such as the malicious use of tools such as MimiKatz and PsExec. Only 42% say they can detect initial access and just 32% can detect lateral movement.

“In cybersecurity, we often talk in abstractions about data breaches and network compromise. But in the healthcare sector, ransomware can have a potentially very real and very dangerous physical impact,” said Bharat Mistry, Technical Director at Trend Micro. “Operational outages put patient lives at risk. We can’t rely on the bad guys to change their ways, so healthcare organizations need to get better at detection and response and share the appropriate intelligence with partners to secure their supply chains.”

The post 25% of Healthcare Organizations Said a Ransomware Attack Forced Them to Completely Halt Operations appeared first on HIPAA Journal.

NIST Urged to Make HIPAA Security Rule Implementation Guidance More Usable by Small Providers

The Health Sector Coordinating Council (HSCC) has urged the National Institute for Standards & Technology to provide tailored guidance for smaller and lesser-resourced healthcare organizations on implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, and makes several other recommendations to improve the utility of its new HIPAA Security Rule implementation guidance.


Recently, NIST issued a draft update (SP 800-66r2) to its 2008 publication: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, and sought feedback from industry stakeholders ahead of the publication of the final version of the guidance.

SP 800-66r2 provides guidance for HIPAA-regulated entities on assessing and managing risks to ePHI, suggests activities that should be considered as part of an information security program, and provides several useful resources that HIPAA-regulated entities can use to help them implement the requirements of the HIPAA Security Rule.

HSCC is a private sector-led critical infrastructure advisory council of large, medium, and small health industry stakeholders, that works with government partners to identify and mitigate threats and vulnerabilities that have the potential to affect the ability of the sector to deliver healthcare services. HSCC has a Cybersecurity Working Group that represents 350 healthcare organizations that collaborate toward improving the cyber security and resiliency of the healthcare industry and patient safety.

HSCC Recommendations for Improving NIST HIPAA Security Rule Guidance

Improve the Structure to Better Meet the Needs of Smaller Healthcare Organizations

HSCC has made several recommendations for NIST to consider prior to releasing the final version of its guidance. One of the main issues is NIST has created a document that can be used by healthcare organizations of all sizes; however, HSCC suggests this one-size-fits-all approach has resulted in the guidance not being well adapted for smaller healthcare organizations, which are the ones that would benefit most from additional guidance on HIPAA Security Rule compliance.

The problem with the one-size-fits-all approach is the guidance document – which runs to 139 pages – provides detailed information, but much of that information is not relevant to smaller HIPAA-regulated entities. Resources have been shared to help HIPAA-regulated entities achieve compliance with the HIPAA Security Rule, but there are insufficient resources provided specifically for smaller healthcare organizations and suggests the suggested resources could be better organized to improve the utility of the publication.

Stress the Importance of Adopting Recognized Security Practices

HSCC draws attention to its publication, Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HCIP) which was developed under the 405(d) Program and Task Group, to help organizations of all sizes manage cyber threats. HCIP has been developed to be scalable and has the flexibility to be easily used by smaller healthcare organizations, without prescribing to a single pathway for improving cyber posture. HSCC recommends this tool, and other similar resources should be referenced in its Security Rule guidance.

Now that H.R. 7898 (Public Law 116-321) has been signed into law, content should be included in the Security Rule guidance on how the adoption of recognized security practices provides benefits to healthcare organizations in the form of shorter compliance audits and fewer fines, altogether with information on how to implement the security best practices promulgated under section 405(d) of the Cybersecurity Act of 2015 by adopting the NIST Cybersecurity Framework (NIST CSF) and following the recommendations outlined in publications such as the HICP.

HCSS also recommends NIST should stress the importance of following cybersecurity best practices, and that by adopting those practices will help HIPAA-regulated entities with HIPAA Security Rule compliance, compliance with other Federal mandates, and how following these best practices can help to ensure business continuity and patient safety. HSCC has recommended NIST publish separate guidance for small- and mid-sized healthcare organizations with more tailored resources that stresses the importance of practicing good cyber hygiene.

HSCC also draws attention to the use of the terms ‘risk assessment’ and ‘risk analysis’ in the document, which are often used as synonyms, even though NIST has separate definitions for both. To avoid confusion, HSCC recommends NIST uses these terms consistently and clarifies when a risk analysis or risk assessment is required.

Help Small Healthcare Providers Prepare for the End of the COVID-19 PHE

HSCC has also drawn attention to the flexibilities introduced in response to the COVID-19 Public Health Emergency (PHE), specifically, the notice of enforcement discretion issued by OCR stating sanctions and penalties will not be imposed for the good faith use of communications technologies for providing telehealth services during the PHE, which would normally not be considered HIPAA-compliant. The guidance should make it clear that as the PHE winds down, healthcare providers should migrate to more secure methods of communication to better protect patient privacy and reduce cyber incidents.

The post NIST Urged to Make HIPAA Security Rule Implementation Guidance More Usable by Small Providers appeared first on HIPAA Journal.

Cybersecurity Awareness Month Focuses on 4 Key Behaviors

October is Cybersecurity Awareness Month – a 19-year collaborative effort between the government and industry to improve awareness of cybersecurity in the United States, led by the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA).

2022 Cybersecurity Awareness Month – See Yourself in Cyber

The theme of this year’s Cybersecurity Awareness Month is See Yourself in Cyber, where the focus is on the actions that everyone should take to improve cybersecurity. In previous years, the month of October has been divided into four weeks, each of which has a different theme. This year, rather than have a different weekly theme, the focus each week will be on one of four key behaviors that everyone should adopt. Simply practicing these basics of cybersecurity will greatly improve an individual’s and an organization’s security posture.

  1. Enabling multifactor authentication – Improve access controls by adding additional authentication requirements in addition to a password. MFA can prevent access from being granted to accounts using stolen credentials.
  2. Using strong passwords and a password manager – Set strong, unique passwords for all accounts that are resilient to brute force attacks and use a password manager to create those passwords and store them securely in an encrypted password vault.
  3. Updating software – Ensure software is kept up to date and apply patches promptly to correct known vulnerabilities.
  4. Recognizing and reporting phishing – Learn about the signs of phishing, the red flags in emails, text messages, social media posts, and telephone calls that can indicate a phishing attempt, and ensure phishing attempts are reported.

“To build a more resilient nation, everyone—from K through Gray—has a role to play, which is why our theme for this year’s Cybersecurity Awareness Month is ‘See Yourself in Cyber,'” said CISA Director Jen Easterly. “This October, we are taking this message directly to the American people because whether you’re a network defender or anyone with an internet connection, we all have a role to play in strengthening the cybersecurity of our nation.”

Improving Cybersecurity Awareness in Healthcare

Many cyberattacks succeed due to mistakes by employees and a lack of awareness of basic aspects of cybersecurity. According to the 2022 Verizon Data Breach Investigations Report, 82% of data breaches in 2021 involved the human element. Improving security awareness of the workforce by focusing on the above key behaviors will go a long way toward improving security and preventing data breaches.

Security awareness training is a requirement for compliance with the HIPAA Security Rule. The administrative safeguards of the HIPAA Security Rule require all HIPAA-regulated entities to train all workforce members on internal security policies and procedures, with the 45 CFR § 164.308 (a)(5)(i) standard requiring “a security awareness and training program for all members of its workforce (including management).”

HIPAA-regulated entities should adopt a risk-based approach when developing training courses and should teach cybersecurity basics and focus on the most important behaviors that can reduce risk. The HHS’ Office for Civil Rights has issued guidance on aspects of cybersecurity to include in security awareness training programs and raises awareness of important themes in its quarterly cybersecurity newsletters.

“The Security Rule requires regulated entities to implement a security awareness and training program for all workforce members,” explained OCR in its Q1, 2022 cybersecurity newsletter. “A regulated entity’s training program should be an ongoing, evolving process and be flexible enough to educate workforce members on new and current cybersecurity threats (e.g., ransomware, phishing) and how to respond.” OCR also stressed the need for training to be provided to all members of the workforce, which includes management personnel and senior executives.

Training should be followed up with regular security reminders, which are an addressable specification of the HIPAA Security Rule. Cybersecurity Awareness Month is the ideal time to focus on security reminders and develop a program for delivering these reminders regularly. OCR suggests security reminders can include cybersecurity newsletters, but also phishing simulations to members of the workforce to gauge the effectiveness of the security awareness and training program, and to provide additional, targeted training to employees who are fooled by the simulations. HIPAA-regulated entities should consider implementing a mechanism that allows employees to easily report phishing attempts and suspicious emails to their security teams, such as an email client add-on that allows one-click reporting, and to encourage employees this month to report potential threats.

Multifactor authentication is an effective additional safeguard for improving access controls to prevent stolen credentials from being used to access accounts. This month is the ideal time to accelerate plans to implement multifactor authentication – if MFA has not already been implemented – and to ensure that it is applied to all accounts. Phishing campaigns are being conducted that allow certain types of multifactor authentication to be bypassed. To protect against these MFA bypass attacks, MFA implementation can be made more resilient by using a solution that supports Fast ID (FIDO) v2.0 and certificate-based authentication.

Brute force attacks often succeed due to employees setting weak passwords or reusing passwords on multiple accounts. HIPAA-regulated entities should enforce their password policies, but also make compliance with those policies easier for employees by supplying a business password manager. Password managers can suggest truly random, complex passwords, and greatly improve password security and management.

It is easy to focus on technical defenses for protecting ePHI and preventing unauthorized access, but the importance of training cannot be overstated. Ensuring all employees are aware of the above key behaviors and are practicing good cyber hygiene will go a long way toward improving the cybersecurity posture of the entire organization.

The post Cybersecurity Awareness Month Focuses on 4 Key Behaviors appeared first on HIPAA Journal.

NIH Needs to Improve Cybersecurity Requirements for its Grant Program

The National Institutes of Health (NIH) failed to implement adequate cybersecurity measures to protect sensitive data in its pre-award risk assessment process, according to a recent audit conducted by the HHS’ Office of Inspector General (OIG).

NIH invests more than $30 billion each year in medical research for the American people, with more than 80% of the funding awarded through approximately 50,000 competitive grants for research institutions within the United States and around the world. Security controls and data safeguards to protect federally funded research efforts are of major importance to both the HHS and the Federal government. OIG engaged CliftonLarsonAllen LLP (CLA) to conduct an audit to determine whether NIH had adequate requirements to ensure that grant awards have risk-based cybersecurity provisions to protect sensitive and confidential data and NIH’s intellectual property.

As a grant-making organization, NIH is required to comply with the uniform administrative requirements in Federal regulations at 45 CFR Part 75, and the Department’s Grants Policy Administration Manual (GPAM). Under 45 CFR Part 75, NIH is required to review the risks posed by applicants, and NIH may impose special conditions on grant recipients corresponding to the degree of risk associated with making a grant award.

The NIH Grants Policy Statement (NIHGPS) calls for grantees to establish and maintain effective internal controls, in compliance with Federal statutes, regulations, and the terms and conditions of the award, and they are required to safeguard assets. Grantees are also responsible for ensuring the privacy and security of sensitive and confidential data. Those requirements include not storing personally identifiable, sensitive, and confidential information about NIH-supported research or research participants on portable electronic devices and implementing controls to prevent unauthorized access to sensitive and confidential data.

OIG found the lack of an adequate pre-award risk assessment process was due to NIH not considering cybersecurity, and not including a special term and condition addressing cybersecurity risk in its Notice of Award. Adequate policies were not in place because the NIHGPS does not include specific, risk-based provisions for considering or requiring cybersecurity. There was also inadequate post-award monitoring of grantees to ensure they were maintaining effective cybersecurity to protect sensitive data and NIH intellectual property.

OIG recommends improvements be made to the NIH grant program cybersecurity requirements, including assessments of its grant award programs to determine which grants should require additional cybersecurity protections due to the research including sensitive and confidential data or NIH intellectual property. Based on the NIH risk assessment of grant awards, funding opportunity announcements or grant terms and conditions should include the specific requirements for cybersecurity that must be implemented.

OIG said NIH should also strengthen its NIHGPS to include clear and measurable standards for cybersecurity, the pre-award process should be strengthened to identify and address how cybersecurity risk will be assessed, and the post-award process should confirm that appropriate cybersecurity protections have been implemented, and that sensitive and confidential information is appropriately safeguarded.

NIH failed to indicate concurrence or nonconcurrence with the recommendations, with NIH considering the five recommendations appropriately addressed through its existing NIHGPS requirements, best practice recommendations, and the planned addition of Data Management and Sharing (DMS) policy statements to the NIHGPS. However, OIG maintains that its recommendations are valid and has encouraged NIH to ensure they are implemented.

The post NIH Needs to Improve Cybersecurity Requirements for its Grant Program appeared first on HIPAA Journal.

Medical Device Cybersecurity Requirements Stripped from FDA Reauthorization Bill

The U.S Food and Drug Administration (FDA) user fee reauthorization bill passed by the House of Representatives in June included new provisions requiring medical device manufacturers to monitor for and address postmarket cybersecurity vulnerabilities in their devices, ensure medical devices are labeled with a software bill of materials and are capable of receiving patches to ensure cybersecurity for the entire lifecycle of the devices. The bill was passed with a vote of 392-28; however, those cybersecurity requirements have now been stripped out.

The FDA’s authorization to collect fees from the healthcare sector to conduct independent reviews of drugs and medical devices was due to come to an end on September 30, and with time running out, the FDA bowed to pressure from Senate republicans and stripped out the new cybersecurity requirements for medical device manufacturers. Were the FDA’s 5-year authorization not to be renewed, the FDA anticipated only being able to continue with its review activities for around 5 weeks before its money ran out. The FDA reauthorization was included in a temporary spending bill that has now been passed and will keep the FDA and the rest of the Federal government funded through December 16, 2022.

“In June, the House passed a user fee reauthorization package on time with overwhelming bipartisan support. After the House passed its user fee package, bipartisan Energy and Commerce and HELP leaders came to agreement on language to cover many significant policy areas that we wanted included in the Continuing Resolution,” said Energy and Commerce Committee Chairman Frank Pallone, Jr. (D-NJ) in a statement. “Unfortunately, Senate Republican leadership blocked these policy agreements from being included.”

U.S. Senators Patty Murray (D-WA) and Richard Burr (R-NC), Chair and Ranking Member of the Senate Committee on Health, Education, Labor, and Pensions (HELP), issued a statement on the FDA reauthorization. “We are glad to announce an agreement to reauthorize the FDA user fee programs, which will ensure that FDA can continue its important work and will not need to send out pink slips. However, there is more work ahead this Congress to deliver the kinds of reforms families need to see from FDA, from industry, and from our mental health and pandemic preparedness efforts.” The senators confirmed that they are committed to continuing that work, and will be including strong, bipartisan legislation in a robust end-of-year package.

The removal of the cybersecurity requirements is a disappointment but not surprising. Healthcare organizations should not wait for regulatory changes and should ensure that they proactively identify and address vulnerabilities in medical devices to ensure the security of their networks, confidentiality of data, and patient safety.

The post Medical Device Cybersecurity Requirements Stripped from FDA Reauthorization Bill appeared first on HIPAA Journal.