Healthcare Data Security

HHS Pressed to Act on Cybersecurity Task Force Recommendations for Medical Device Security

The House Committee on Energy and Commerce has urged the HHS to act on all recommendations for medical device security suggested by the Healthcare Cybersecurity Task Force, calling for prompt action to be taken to address risks.

The Cybersecurity Act of 2015 required Congress to form the Healthcare Cybersecurity Task Force to help identify and address the unique challenges faced by the healthcare industry when securing data and protecting against cyberattacks.

While healthcare organizations are increasing their spending on technologies to prevent cyberattacks, medical devices remain a major weak point and could easily be exploited by cybercriminals to gain access to healthcare networks and data.

Earlier this year, the Healthcare Cybersecurity Task Force made a number of recommendations for medical device security. However, the Department of Health and Human Services has not yet acted on all of the recommendations. The House Committee on Energy and Commerce has now urged the HHS to take action on all the Cybersecurity Task Force’s recommendations.

Last week, Greg Walden (D-Or), Chair of the House Committee on Energy and Commerce, wrote to the HHS, explaining one of the main problems with new technologies is a lack of understanding of their hardware, software, and components.

In the letter, Walden explained, “Stakeholders do not know, and often have no way of knowing, exactly what software or hardware exist within the technologies on which they rely to provide vital medical care.”

As Walden explained, the NotPetya and WannaCry ransomware attacks proved that to be the case. Those attacks leveraged a vulnerability in Windows Server Message Block (SMBv1), and following the attacks, healthcare organizations were scrambling to determine which technologies within their networks leveraged SMBv1 to allow them to mitigate risk. That task was made all the more difficult, as information on technologies that leveraged SMBv1 was lacking or was simply unavailable.

Those ransomware/wiper attacks are just two examples. It was the same situation for the SamSam ransomware attacks that leveraged a vulnerability in JBoss, while in 2015, vulnerabilities in the Telnet protocol were discovered. Telnet was used in many medical devices, although the devices that used Telnet was not abundantly clear.

“The existence of insecure or outdated protocols and operating systems within medical technologies is a reality of modern medicine. At the same time, however, this leaves healthcare organizations vulnerable to increasingly sophisticated and rapidly evolving cyber threats,” wrote Walden.

Walden pointed out that the Cybersecurity Task Force has called for a Bill of Materials as a possible solution to the problem. The Bill of Materials would exist for all medical technologies, which detail all the components, software, hardware and protocols used, and any known risks associated with those components. Such a Bill of Materials would make it much easier for healthcare organizations to make security decisions, and mitigate risk when new vulnerabilities are identified.

Having a Bill of Materials for all technologies would not completely protect the healthcare industry, but Walden explains it is a “common sense step” to improving cybersecurity in the industry as a whole.

The HHS has been urged to convene a sector-wide effort to develop a plan for the creation and deployment of BOMs. Walden called for a plan of action be provided by the HHS no later than December 15, 2017.

The post HHS Pressed to Act on Cybersecurity Task Force Recommendations for Medical Device Security appeared first on HIPAA Journal.

Endpoint Security Trends and the Rising Threat of Fileless Malware Attacks

A recent study conducted by the Ponemon Institute has highlighted current endpoint security trends, details the ever-present threat from ransomware, and shows that fileless malware attacks are on the rise.

Each year, endpoint attacks cost the healthcare industry more than $1 billion. The high cost of mitigating attacks and the growing threat means endpoint security should be a priority for healthcare organizations. Unfortunately, many healthcare organizations are continuing to rely on traditional cybersecurity technologies, which fail to adequately protect against new threats. Further, investment in cybersecurity defenses often involves doubling down on existing technologies, rather than strategic spending on new technologies that are far more effective at reducing the risk of endpoint attacks.

The Barkly-sponsored study was conducted on 665 IT and security professionals. 54% of respondents said they had experienced at least one successful endpoint attack in the past 12 months. Ransomware attacks are rife. More than half of respondents said they had experienced at least one successful ransomware attack this year, while 40% of respondents said they had experienced multiple ransomware attacks.

Oftentimes, organizations pay the ransom to quickly regain access to their data, others are faced with no alternative but to pay the ransom. 65% of surveyed companies reported that they had paid a ransom demand to regain access to their files. The average ransom payment was $3,675.

The threat from ransomware is unlikely to go away. As long as the attacks are profitable, they will continue. A recent report from Cybersecurity Ventures suggests worldwide ransomware damages will reach $5 billion this year and will rise to $11.5 billion in 2019. To put those figures into perspective, the cost of ransomware attacks in 2015 was $325 million.

One of the most worrying endpoint security trends highlighted in the Ponemon Institute report was fileless malware.  Fileless malware attacks have increased considerably in the past 12 months. Out of all organizations that reported experiencing at least one endpoint attack, 77% said at least one of those attacks involved an exploit or fileless malware. Overall, 29% of organizations have experienced a fileless malware attack, a rise of 20% from last year. Ponemon also reports that fileless malware attacks are also 10 times more likely to succeed than other types of malware attacks.

The cost of endpoint attacks is considerable. On average, it costs $301 per employee to mitigate an attack – or $5,010,600 per company, per year, on average. The healthcare industry alone has spent $1.3 billion in the past year mitigating endpoint attacks. Those costs are broken down as 30% due to loss of productivity, 25% due to system downtime, and 23% due to theft of information assets.

Preventing endpoint attacks is seen as a major problem, with more than half of respondents (54%) not believing that endpoint attacks can actually be stopped. Antivirus solutions are necessary to prevent malware infections, although they are rarely effective against current threats such as fileless malware.

“This survey reveals that ignoring the growing threat of fileless attacks could be costly for organizations,” said Ponemon Institute Chairman and Founder Dr. Larry Ponemon. “The cost of endpoint attacks in the companies represented in this study could be as much as $5 million, making an enterprise-wise endpoint security strategy more important than ever.”

The shortfalls of AV software have led many companies to invest in new technologies such as endpoint detection and response solutions, although those solutions do not prevent attacks, only limit the harm caused when they do occur.

50% of companies said they are planning to replace or augment their current endpoint security systems with new tools, although many respondents said they are experiencing problems with endpoint security systems, such as a high false positive rate, complex management of the solutions, and even when solutions are deployed, there are many protection gaps.

The post Endpoint Security Trends and the Rising Threat of Fileless Malware Attacks appeared first on HIPAA Journal.

Patches Released to Address Critical Intel Firmware Vulnerabilities

Patches have been released to address several Intel firmware vulnerabilities that affect 6th, 7th and 8th Generation Intel Core processors, and Xeon, Atom, Apollo Lake, and Celeron processors.

While the patches have been released by Intel, it is likely to take days or weeks before they can be applied. Intel processors are used by a wide variety of PC and laptop manufacturers, which are now required to customize the patches to ensure they are compatible with their systems.

The patches were released late on Monday to fix vulnerabilities that could potentially be exploited by attackers to load and run arbitrary code outside the operating system, unbeknown to users.

If exploited, attackers could crash systems, cause system instability, or gain access to privileged system information. Millions of PCs and servers around the world have these vulnerabilities and require the patches to be applied. Most organizations around the world will have at least one device containing one of the Intel firmware vulnerabilities.

The vulnerabilities have been assigned eight CVEs, four affect Intel Manageability Engine Firmware (CVE-2017-5705, CVE-2017-5708, CVE-2017-5711, CVE-2017-5712) two affect Server Platform Service 4.0.x.x (CVE-2017-5706, CVE-2017-5709), and two affect Intel Trusted Execution Engine 3.0.x.x (CVE-2017-5707. CVE-2017-5710). The ME, SPS, and ITE systems are embedded firmware that provide management and code integrity checks on intel powered hardware.

Four of the bugs were identified by security researchers at Positive Technologies, prompting Intel to conduct a full review, which revealed a further four Intel firmware vulnerabilities.

The good news is that in order for the vulnerabilities to be exploited, access to the device would be required. While insiders could run any code on the Management Engine by exploiting the vulnerabilities, it is possible that if other vulnerabilities exist, they could be leveraged by external actors to exploit the vulnerabilities without the need for a local user at a vulnerable device.

The flaws in the Management Engine (ME) are serious because ME is the basis for trust on a system. The ME performs checks on devices to ensure firmware hasn’t been updated or tampered with, so vulnerabilities in the Management Engine could be exploited to change the way the checks are performed.

For example, if a firmware update is attempted, the ME could report that the update has been applied, when it hasn’t. System administrators would believe that devices have been patched, when they remain vulnerable.

Further, since the ME is never switched off, unless power is totally cut to a device, even if the operating system is rebooted, the ME may remain compromised.

Unfortunately, there are no real workarounds other than applying the patches. Manufacturers are now working on customizing Intel’s patches, although since the vulnerabilities affect multiple processors, the process of customizing patches, testing them, and rolling them out could take several weeks.

Lenovo and Dell have already published lists with more than 100 affected systems, with the former expecting to roll out its patched by the end of the month.

Currently it is not believed that any of the vulnerabilities are being actively exploited, although that is almost certain to change over the coming weeks.

A tool has been released to check for the Intel firmware vulnerabilities detailed in security bulletin INTEL-SA-00086, which can be downloaded from the Intel website on this link.

The post Patches Released to Address Critical Intel Firmware Vulnerabilities appeared first on HIPAA Journal.

November Healthcare Breach Barometer Report Highlights Seriousness of Insider Data Breaches

Protenus has released its November 2017 healthcare Breach Barometer Report. After a particularly bad September, healthcare data breach incidents fell to more typical levels, with 37 breaches tracked in October.

The monthly summary of healthcare data breaches includes incidents reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), and incidents announced via the media and tracked by databreaches.net.

Those incidents include several breaches that have yet to be reported to OCR, including a major breach that has impacted at least 150,000 individuals – The actual number of individuals impacted will not be known until the investigation has been completed. The numbers of individuals impacted by 8 breaches have not yet been disclosed.

Including the 150,000 individuals impacted by largest breach of the month, there were 246,246 victims of healthcare data breaches in October 2017 – the lowest monthly total since May 2017.

The healthcare industry has historically recorded a higher than average number of data breaches due to insiders, although over the past few months hacking has been the leading cause of breaches. That trend has continued in October. Hacking was behind 35.1% of all incidents, insider incidents accounted for 29.7% of the total, with the loss and theft of devices behind 16.2% of incidents. The causes of the remaining 18.9% of breaches is not yet known.

While hacking incidents usually result in more records being exposed or stolen, in October insider errors exposed more healthcare data. 65% of all breached records involved insider errors.

157,737 individuals had their PHI exposed due to insider errors and insider wrongdoing, while hacks resulted in the theft of 56,837 individuals’ PHI. Protenus notes that three incidents were due to the hacking group TheDarkOverlord.

In total, there were 11 breaches that were the result of insiders – five  due to errors and six due to insider wrongdoing. The biggest breach involving insider error was the failure to secure an AWS S3 bucket, resulting in the exposure of 316,363 PDF reports – containing the PHI of at least 150,000 individuals: One of two such incidents reported in October that involved unsecured AWS S3 buckets.

Another insider incident involved the mailing of flyers to individuals where PHI was visible through the envelope – A major incident that potentially caused considerable harm, as the information viewable related to patients’ HIV status.

The average time taken from breach to discovery was 448 days in October. The median time was 304 days, showing healthcare organizations are still struggling to detect data breaches rapidly.

Two HIPAA-covered entities reported breaches to OCR well outside the 60-day deadline stipulated in the HIPAA Breach Notification Rule. One of those incidents was reported three years after the breach was detected. In that case, the breach involved a nurse who was stealing patient records and using the information to file false tax returns. The median time from discovery to reporting was 59 days.

Healthcare providers reported 29 incidents, there were 7 incidents reported by health plans, one breach was reported by a school. Four incidents were known to involve a business associate.

California and Florida were the worst hit states in October with four incidents apiece, followed by Texas and New York.

The post November Healthcare Breach Barometer Report Highlights Seriousness of Insider Data Breaches appeared first on HIPAA Journal.

PCI and HIPAA Compliance Comparison

PCI and HIPAA Compliance Comparison

For organizations in healthcare-related industries, who both have access to PHI and accept credit card payments, a PCI and HIPAA compliance comparison can help find overlaps and similarities in their compliance obligations. These overlaps and similarities can assist organizations with their risk assessments in order to avoid duplication and better mitigate the risk of a data breach.

In this comparison between PCI compliance and HIPAA compliance, we have used the PCI Data Security Standard v3.2 as our reference. Readers are advised to review the PCI Security Standards website periodically for updates to the Data Security Standard that may affect the accuracy of this PCI and HIPAA compliance comparison.

PCI and HIPAA Compliance Comparison – Introduction

The Payment Card Industry Data Security Standard (PCI DSS) applies to any organization that accepts credit card payments, or that stores, processes or transmits cardholder data and/or sensitive authentication data. Similarly, the Healthcare Insurance Portability and Accountability Act (HIPAA) applies to any organization that creates, stores, processes or transmits Protected Health Information.

As will be demonstrated in our PCI and HIPAA compliance comparison, there are many similarities between the PCI DSS and the physical, technical and administrative safeguards of the HIPAA Security Rule. In fact, by complying with some of the PCI compliance requirements (i.e. the encryption of data), organizations will automatically be complying with the encryption requirements within HIPAA.

PCI DSS Compliancy Requirements

On the current version of the PCI Data Security Standard (v3.2), there are twelve compliance requirements. These mirror security best practices that should be present in any organization managing sensitive data, should minimize the likelihood of a data breach using a combination of security mechanisms and security policies. The twelve requirements (with HIPAA compliance comparisons) are:

Install and maintain a firewall configuration to protect cardholder data.

Although the HIPAA Security Rule is “technology neutral”, a suitable firewall or UTM appliance should be the first line of defense against hackers and malicious software attempting to obtain Protected Health Information (PHI). In May 2013, Idaho State University was fined $400,000 for network security inadequacies that included the disconnection of a firewall protecting the ePHI of 17,500 patients.

Do not use vendor-supplied defaults for system passwords and other security parameters.

In HIPAA, passwords are covered within §164.308 of the Security Rule´s administrative safeguards. Individually identifiable passwords are not only required for monitoring access to ePHI, but training should be given to network users about creating complex passwords (to mitigate the risk of brute force attacks) and changing them as often as found necessary by the organization´s risk assessment.

Protect stored cardholder data.

Most organizations subject to HIPAA regulations will be aware they have an obligation to protect stored patient data, not only against unauthorized disclosure, but also against unauthorized amendment and deletion. Organizations should implement whatever security mechanisms are necessary to protect ePHI – whether it is stored on servers, mobile devices or in the cloud.

Encrypt transmission of cardholder data across open, public networks.

Although the HIPAA encryption requirements are an “addressable safeguard of the Security Rule, there are very few justifiable circumstances in which data encryption is not required. Should an organization fail to encrypt ePHI at rest and in transit, it has to record the reasons why in its risk assessments or obtain permission from individuals to store and communicate their PHI without it being encrypted.

Protect all systems against malware and regularly update antivirus software and programs.

A malware infection is regarded as a security incident under §164.304 of the HIPAA Security Rule and, once the infection is detected, organizations must initiate a security incident and response procedure. If there is the likelihood ePHI has been compromised, the incident must be reported to HHS OCR. Ideally, all systems should be protected against malware with the most suitable mechanisms to mitigate risk.

Develop and maintain secure systems and applications.

In a healthcare environment, this not only relates to electronically-stored ePHI, but physical PHI maintain in paper format or other media. The PCI requirement to develop and maintain secure systems and applications is an accurate description of all the requirements in the Security Rule´s technical, physical and administrative safeguards.

Restrict access to cardholder data by business need to know.

This PCI requirement is strikingly similar to the HIPAA Privacy Rule´s “minimum necessary” rule that stipulates organizations must make reasonable efforts to limit the disclosure of PHI to the minimum amount necessary in order to accomplish the intended purpose of the use, disclosure or request. This is particularly appropriate when Covered Entities are sharing PHI with Business Associates.

Identify and authenticate access to system components.

This wide-ranging requirement of PCI – when put into the context of a PCI and HIPAA compliance comparison – can mean everything from implementing secure messaging on mobile devices to implementing access controls to cloud-based data storage facilities. A comprehensive risk assessment will identify which system components require access and authentication controls.

Restrict physical access to cardholder data.

This standard could be interpreted as restricting physical access to ePHI as required by the HIPAA Security Rule §164.310. However, it could also be interpreted as preventing unauthorized personnel from viewing ePHI displayed on a computer monitor or EHR. Organizations should interpret this requirement with relevance to their own specific circumstances and record their conclusions in a risk assessment.

Track and monitor all access to network resources and cardholder data.

With regard to electronically-stored ePHI, this has a close similarity with the “addressable” validation procedures of the HIPAA Security Rule and the password management requirement. Password management and monitoring tools are available to assist compliance with this requirement; and, unless the tools are storing ePHI, no Business Associate Agreement needs to be in place to use them.

Regularly test security systems and processes.

Although the HIPAA Security Rule does not stipulate how frequently risk assessments should be conducted, the Office of National Coordinator recommends security systems and processes should be tested at least once a year, and whenever new technology is implemented or work practices change. If an organization is applying for Meaningful Use incentive payments, an annual test is required anyway.

Maintain a policy that addresses information security for all personnel.

As the HIPAA Security Rules stipulate policies must be created to demonstrate how organizations comply with each of the technical, physical and administrative safeguards, it is highly likely a policy has already been created by HIPAA Covered Entities to address information security. It is also important that a sanctions policy is implemented in order to advise users of the penalties for non-compliance.

PCI and HIPAA Compliance – Conclusion

Although there are many similarities between PCI and HIPAA compliance, because an organization complies with one set of regulations, it does not necessarily follow it complies with the other. For example, a HIPAA-compliant organization may have a justifiable and chronicled reason to avoid data encryption. The lack of encrypted data would make the organization non-compliant with PCI.

Furthermore, in the same way as different states have different laws that can influence how some HIPAA requirements are implemented, each payment card brand (Visa, Mastercard, American Express, etc.) also has its own program for compliance, validation and enforcement. Organizations are advised to research each brand´s requirements to complement their PCI compliance, and review our “HIPAA Compliance Guide” for further information on the HIPAA-related points listed above.

The post PCI and HIPAA Compliance Comparison appeared first on HIPAA Journal.

Is Slack HIPAA Compliant?

Slack is a powerful communication tool for improving collaboration, but is Slack HIPAA compliant? Can Slack be used by healthcare organizations for sharing protected health information without risking a HIPAA violation?

Is Slack HIPAA Compliant?

There has been considerable confusion about the use of Slack in healthcare and whether Slack is HIPAA compliant.

Since its launch, Slack has not been HIPAA compliant, although steps have been taken to develop a version of the platform that can be used by healthcare organizations. That version is called Slack Enterprise Grid.

Earlier this year, Geoff Belknap, Chief Security Officer at Slack, said “our team has spent over a year investing our time and effort into meeting the rigorous security needs of our customers who work in highly regulated industries.”

Slack Enterprise Grid was announced at the start of 2017. Slack Enterprise Grid is not the same as Slack. It has been built on different code, and has been developed specifically for use by companies with more than 500 employees.

Slack Enterprise Grid incorporates several security features that support HIPAA compliance. Those features include data encryption at rest and in transit, customer message retention to create an audit trail, and support for data loss prevention to ensure that audit trail is maintained.

Slack Enterprise Grid creates detailed access logs, and administrators can remotely terminate connections and sign users out from all connected devices. Team owners can delete all customer data within 24 hours – useful for when users leave the company. Slack also includes team-wide two-factor authentication, creates offsite backups, and is compliant with NIST standards, as well as SOC2 and SOC3.

As Slack explains on its website, “Slack Enterprise Grid customers in regulated industries can benefit from our DLP and eDiscovery support to become HIPAA and FINRA compliant.”

So is Slack HIPAA compliant? No. Is Slack Enterprise Grid HIPAA compliant? It can be.

However, before Slack Enterprise Grid can be used by healthcare organizations for any activities involving PHI, there is the matter of the HIPAA business associate agreement (BAA).

Will Slack Sign a Business Associate Agreement?

A business associate agreement must be signed with a company prior to its platform being used to send or receive protected health information (PHI). And as Slack points out on its website, “Customer must not use, disclose, transmit or otherwise process any “Protected Health Information” as defined in HIPAA.”

Slack also states that, “Unless Customer has entered into a written agreement with Slack to the contrary, Customer acknowledges that Slack is not a “Business Associate,” suggesting Slack is prepared to sign a BAA for Slack Enterprise Grid.

However, the BAA is not universally offered and is not available on the Slack website. Healthcare organizations considering using Slack Enterprise Grid must contact Slack and request a copy, and scrutinize the BAA – if one is offered.

With a signed BAA, healthcare organizations must then carefully configure the platform. An audit trail must be maintained, user logins carefully set up, policies and procedures developed covering the use of the platform, and staff must be trained. The eDiscovery function must also be activated.

Even with a BAA in place, it will be possible for Slack Enterprise Grid to be used in a manner that is not HIPAA compliant.

The post Is Slack HIPAA Compliant? appeared first on HIPAA Journal.

October 2017 Healthcare Data Breaches

In October 2017, there were 27 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights. Those data breaches resulted in the theft/exposure of 71,377 patient and plan member records. October saw a significant fall in the number of reported breaches compared to September, and a major fall in the number of records exposed.

Healthcare data breaches by month (July-October 2017)

October saw a major reduction in the number of breached records, with the monthly total almost 85% lower than September and almost 88% lower than the average number of records breached over the preceding three months.

healthcare records breached July-October 2017

Healthcare providers were the worst hit in October with 19 reported data breaches. There were six data breaches reported by health plans and at least two incidents involved business associates of HIPAA-covered entities.

October 2017 Healthcare Data Breaches by Covered Entity Type

October 2017 healthcare data breaches by covered entity type

Main Causes of October 2017 Healthcare Data Breaches

Unauthorized access/disclosures were the biggest causes of healthcare data breaches in October. There were 14 breaches reported involving unauthorized access/disclosures, 8 hacking incidents, four cases of theft, and one unencrypted laptop computer was lost.

cause of october 2017 healthcare data breaches

Unauthorized access/disclosures were the leading causes of October 2017 healthcare data breaches, although hacking/IT incidents exposed more records – Over twice the number of records exposed by unauthorized access/disclosures and hacking/IT incidents exposed more records than all other breach types combined.

october 2017 healthcare data breaches - records exposed

Location of Exposed and Stolen Protected Health Information

Email was the most common location of breached PHI in October. Five of the nine incidents involving email were the result of hacking/IT incidents such as phishing. The remaining four incidents were unauthorized access/disclosures such as healthcare employees sending emails containing PHI to incorrect recipients. Five incidents involved paper records, highlighting the importance of securing physical records as well as electronic protected health information.

october 2017 healthcare data breaches - location of breached PHI

October 2017 Healthcare Data Breaches by State

In October, healthcare organizations based in 22 states reported data breaches. The state that experienced the most data breaches was Florida, with 3 reported breaches. Maryland, Massachusetts, and New York each had two breaches.

Alabama, Arizona, California, Connecticut, Georgia, Iowa, Illinois, Kansas, Kentucky, Louisiana, Missouri, North Carolina, Ohio, Rhode Island, Tennessee, Texas, Virginia, and Washington each had one reported breach.

Largest Healthcare Data Breaches in October 2017

 

Breached Entity Entity Type Breach Type Individuals Affected
Chase Brexton Health Care Healthcare Provider Hacking/IT Incident 16,562
East Central Kansas Area Agency on Aging Business Associate Hacking/IT Incident 8,750
Brevard Physician Associates Healthcare Provider Theft 7,976
MHC Coalition for Health and Wellness Healthcare Provider Theft 5,806
Catholic Charities of the Diocese of Albany Healthcare Provider Hacking/IT Incident 4,624
MGA Home Healthcare Colorado, Inc. Healthcare Provider Hacking/IT Incident 2,898
Orthopedics NY, LLP Healthcare Provider Unauthorized Access/Disclosure 2,493
Mann-Grandstaff VA Medical Center Healthcare Provider Theft 1,915
Arch City Dental, LLC Healthcare Provider Unauthorized Access/Disclosure 1,716
John Hancock Life Insurance Company (U.S.A.) Health Plan Unauthorized Access/Disclosure 1,715

The post October 2017 Healthcare Data Breaches appeared first on HIPAA Journal.

Cybersecurity in Healthcare Report Highlights Sorry State of Security

Infoblox has released a new cybersecurity in healthcare report which has revealed many healthcare organizations are leaving themselves wide open to attack and are making it far too easy for hackers to succeed.

The cybersecurity in healthcare report was commissioned to help determine whether the healthcare industry is prepared to deal with the increased threat of cyberattacks. Healthcare IT and security professionals from the United States and United Kingdom were surveyed for the report

The report highlighted the sorry state of cybersecurity in healthcare and revealed why cyberattacks so commonly succeed. Devices are left unprotected, outdated operating systems are still in use, many healthcare organizations have poor visibility into network activity, employees are not being trained to identify threats, and there is apathy about security in many organizations.

The Poor State of Cybersecurity in Healthcare

The use of mobile devices in hospitals has increased significantly in recent years. While the devices can help to improve efficiency, mobile devices can introduce considerable risks. 47% of the large healthcare organizations that were surveyed were using more than 5,000 devices on their networks. Securing so many devices and ensuring they are kept up to date and fully patched is a major challenge for healthcare IT and security professionals, but many organizations are unaware of all of the devices that are connecting to their networks.

Ransomware is a major issue for the healthcare industry. The scale of recent ransomware attacks has put many healthcare organizations on alert, and most hospitals are now in a much better position to deal with attacks when they occur. In the United Kingdom, 15% of respondents said they do not have a plan that could be implemented in the event of a ransomware attack. The lack of planning can result in far greater disruption when an attack occurs.

One in five respondents said devices were in use that were running on Windows XP, even though the operating system has been retired and has not been supported since April 2014. 22% said they were still using Windows 7, which had vulnerabilities that were exploited in the WannaCry attacks. Only 57% of organizations said they were patching their systems at least once a week.

18% of respondents said they had medical devices with unsupported operating systems. Infoblox drew attention to the fact that 7% of respondents didn’t know what operating system that their medical devices are running on, and out of those who do, 26% of large organizations said that they either don’t know or don’t care if they can update those systems.

Those findings make it no surprise that attacks like WannaCry occurred and hit the healthcare industry in the UK so hard.

Cybersecurity Spending is Increasing, but Money is Not being Spent Strategically

The report shows that healthcare organizations are responding to the elevated threat of cyberattacks by investing more heavily in security. 85% of healthcare organizations have increased cybersecurity spending in the past year, and 12% say they have increased spending by more than 50%.

The two technologies that are most commonly chosen are anti-virus solutions (61%) and firewalls (57%), with half of surveyed organizations also having invested in network monitoring technology to identify malicious network activity. Application security solutions are also a popular choice, chosen by 37% of organizations, while one third have invested in DNS security solutions to block data exfiltration and disrupt DDoS attacks.

In the United States, approximately half of healthcare professionals said they had started encrypting their data, compared to 36% in the UK.  Healthcare organizations are now realizing the benefits of providing security awareness training to staff, although worrying, only 35% do. PhishMe reports that more than 90% of cyberattacks start with a phishing email, yet only 33% said they had invested in email security solutions.  Signing up to threat intelligence services can help organizations be more proactive about cybersecurity, yet only 30% of respondents said they had signed up to receive threat intelligence reports.

Recommendations to Improve Cybersecurity in Healthcare

Based on the findings of the report, Infoblox made several recommendations for healthcare organizations to help them mitigate the threat of cyberattacks.

Those recommendations include planning to update operating systems to supported versions. The short-term issues that software updates create are far better than the widespread disruption caused by cyberattacks that exploit vulnerabilities on those outdated systems.

Organizations were advised to know their networks better – the operating systems in use, the devices that are allowed to connect to the network, and the importance of monitoring network activity to detect intrusions.

Organizations must plan for ransomware attacks to minimize disruption. 15% of healthcare organizations still do not have a plan in place to respond if ransomware is installed, even with the elevated threat of attacks on healthcare organizations.

IT security budgets may be increasing, but those budgets must be spent wisely. Investing more money in traditional defenses may not be the best use of budgets.

“Digital transformation presents a massive opportunity to support the doctors and nurses who work tirelessly – but these new technologies also introduce new cyber risk that must be mitigated,” said Rob Bolton, Director of Western Europe at Infoblox. “It’s crucial that healthcare IT professionals plan strategically about how they can manage risk within their organization and respond to active threats to ensure the security and safety of patients and their data.”

The post Cybersecurity in Healthcare Report Highlights Sorry State of Security appeared first on HIPAA Journal.

Is Google Hangouts HIPAA Compliant?

Is Google Hangouts HIPAA compliant? Can Google Hangouts be used by healthcare professionals to transmit and receive protected health information (PHI)?

Is Google Hangouts HIPAA Compliant?

Healthcare organizations frequently ask about Google services and HIPAA compliance, and one product in particular has caused some confusion is Google Hangouts. Google Hangouts is the latest incarnation of the Hangouts video chat system, and has taken the place of Huddle (Google+ Messenger). Google Hangouts is a cloud-based communication platform that incorporates four different elements: Video chat, SMS, VOIP, and an instant messaging service.

Google will sign a business associate agreement for G Suite, which currently covers the following Google core services

  • Gmail
  • Calendar
  • Google Drive (Includes Google Docs, Google Sheets, Google Slides, and Google Forms)
  • Apps Script
  • Keep
  • Sites
  • Jamboard
  • Google Cloud Search
  • Vault (If applicable)
  • Google Hangouts (Chat messaging)
  • Hangouts Meet

The Business Associate Agreement does not cover Google Groups, Google Contacts, and Google+, none of which can be used in conjunction with protected health information. Google also advises users to disable the use of non-core services in relation to G suite – for example YouTube, ​Blogger ​and Google ​Photos.

So, certain elements of Google Hangouts are HIPAA compliant and can be used by HIPAA covered entities without violating HIPAA Rules, provided that prior to the use of the services with PHI, the covered entity has entered into a business associate agreement with Google.

However, even with a BAA in place, not all elements of Google Hangouts are HIPAA compliant, so covered entities must exercise caution. Video chat for instance, is not covered by the BAA so cannot be used, and neither the SMS and VOIP options.

To help make Google Hangouts HIPAA compliant, Google has released a guide for healthcare organizations.

Google Hangouts HIPAA Compliance Depends on Users

If you decide to allow the use of Google Hangouts in your organization, it important to address the allowable uses of Google Hangouts with respect to PHI through policies and procedures. Staff must be trained on the correct use of the platform, and instructed which elements of Google Hangouts can be used and which are prohibited. If video chat is important for your organization, you should seek a HIPAA-compliant alternative platform.

As we have mentioned in a previous post, simply obtaining a BAA from Google is no guarantee of HIPAA compliance – that will depend on how Google services are configured and how they are used – See this page for further information of G Suite HIPAA Compliance.

Don’t Forget to Implement Additional Safeguards for Mobile Devices

One area where HIPAA-covered entities could easily violate HIPAA Rules is the use of Google Hangouts on mobile devices. Google does have excellent security controls that can alert users to potential unauthorized access of their Google account. These should be configured to ensure inappropriate access attempts are identified rapidly. Controls should also be implemented on mobile devices to ensure that the devices are protected in case of loss or theft.

Access controls on the device should be implemented to prevent the device, and any ePHI stored on it, from being easily accessed. Policies and procedures should also be developed to ensure lost and stolen devices are reported promptly, and actions taken to secure accounts. It is also recommended to implement controls that allow lost and stolen devices to be located, locked, and remotely wiped.

The post Is Google Hangouts HIPAA Compliant? appeared first on HIPAA Journal.