Healthcare Information Technology

HHS Releases Final Trusted Exchange Framework and Common Agreement

The Department of Health and Human Services’ Office of the National Coordinator for Health IT has released the final version of its Trusted Exchange Framework and the Common Agreement (TEFCA) – a governance framework for nationwide health information exchange. Two previous versions of TEFCA have been released, the first in 2018 and the second in 2019, with the final version taking into consideration feedback provided by healthcare industry stakeholders. TEFCA was a requirement of the 21st Century Cures Act and has been 5 years in the making. The announcement this week sees the HHS finally move into the implementation phase of TEFCA.

The Trusted Exchange Framework is a set of non-binding foundational principles for health information exchange and outlines propositions for standardization, cooperation, privacy, security, access, equity, openness and transparency, and public health. The second component is the common agreement, which is a legal contract that a Qualified Health Information Network (QHIN) enters into with the ONC’s Recognized Coordinating Entity (RCE). The RCE, the Sequoia Project, is a body charged with developing, updating, and maintaining the Common Agreement and overseeing QHINs.

The framework promotes secure health information exchange across the United States and is intended to improve the interoperability of health information technology, including the electronic health record systems used by hospitals, health centers, and ambulatory practices, and health information exchange with federal government agencies, health information networks, public health agencies, and payers.

“The Common Agreement establishes the technical infrastructure model and governing approach for different health information networks and their users to securely share clinical information with each other – all under commonly agreed-to rules-of-the-road,” explained ONC in a press release. The Common Agreement supports multiple exchange purposes that are required to improve healthcare and should benefit a wide variety of healthcare entities. The Common Agreement operationalizes electronic health information exchange and provides easier ways for individuals and organizations to securely connect. TEFCA will also provide benefits to patients, such as allowing them to obtain access to their healthcare data through third parties that offer individual access services.

ONC’s RCE will sign a legal contract with each QHIN and entities will be able to apply to be designated as QHINs shortly. When designated as a QHIN they will be able to connect with each other and their participants will be able to participate in health information exchange across the country. ONC has released a QHIN Technical Framework which details the functional and technical requirements that QHINs will need to bring the new connectivity online. The HHS has also announced that the TEFCA Health Level Seven (HL7) Fast Healthcare Interoperability Resource (FHIR) Roadmap (TEFCA FHIR Roadmap) is now available, which explains how TEFCA will accelerate the adoption of FHIR-based exchange across the industry.

“Operationalizing TEFCA within the Biden Administration’s first year was a top priority for ONC and is critical to realizing the 21st Century Cures Act’s goal of a secure, nationwide health information exchange infrastructure,” said Micky Tripathi, Ph.D., national coordinator for health information technology. “Simplified nationwide connectivity for providers, health plans, individuals, and public health is finally within reach. We are excited to help the industry reap the benefits of TEFCA as soon as they are able.”

ONC said its RCE will be hosting a series of public engagement webinars to provide further information on the Trusted Exchange Framework and the Common Agreement, which will explain how they work to help prospective QHINs determine whether to sign the Common Agreement

The post HHS Releases Final Trusted Exchange Framework and Common Agreement appeared first on HIPAA Journal.

Most Patients Don’t Trust Their Healthcare Providers to Securely Store PII and Payment Information

In 2019, it was alarming that healthcare data breaches were being reported at a rate of more than 1 a day. In 2021, there have been several months where healthcare data breaches have been occurring at a rate of more than 2 per day. With data breaches occurring so regularly and ransomware attacks disrupting healthcare services, it is no surprise that many patients do not have much trust in their healthcare providers to protect sensitive personally identifiable information (PII).

That has been confirmed by a recent survey conducted by Dynata on behalf of Semafone. 56% of patients at private practices said they do not trust their healthcare providers to protect PII and payment information. Smaller healthcare providers have smaller budgets for cybersecurity than larger healthcare networks, but trust in large hospital networks is far lower. Only 33% of patients of large hospital networks trusted them to be able to safeguard their PII.

The HHS’ Office for Civil Rights, the main enforcer of HIPAA compliance, has stepped up enforcement of compliance with the HIPAA Rules in recent years and is increasingly imposing financial penalties for HIPAA Privacy and Security Rule violations. The survey confirmed that patients want healthcare providers to face financial penalties when they fail to ensure the confidentiality of healthcare data. 9 out of 10 patients were in favor of financial penalties for healthcare providers that fail to implement appropriate protections to prevent healthcare data breaches.

Further, when data breaches occur, patients are willing to switch providers. 66% of patients said they would leave their healthcare provider if their PII or payment information was compromised in a data breach that occurred as a result of the failure to implement appropriate security measures. Another 2021 survey, conducted on behalf of Armis, had similar findings. 49% of patients said they would switch provider if their PHI was compromised in a ransomware attack.

The pandemic has increased the risk patients face from healthcare data breaches. Before the pandemic, many patients paid their medical bills in person or by mail, but the Semafone survey showed both payment methods are in decline, with many patients now choosing to pay electronically. There has been a 28% fall in in-person payments and a 17% drop in mail-in payments. With financial information more likely to be stored by healthcare providers, the risk of financial harm from a data breach has increased substantially.

Semafone explained in its 2021 State of Healthcare Payment Experience and Security Report that the increase in healthcare data breaches has led to patients having a heightened sense of awareness and interest in the processes their providers take to protect their information. Semafone suggests healthcare providers, and especially large hospital networks, need to pay more attention to the digital transformation measures they take to keep sensitive information secure.

“Regardless of size, the entire healthcare industry must do better at navigating and preventing data breaches,” said Gary E. Barnett, CEO of Semafone. “The sheer number of breaches in and out of healthcare is problematic. Fortunately, there are solutions that provide security and help meet compliance standards, but many of today’s companies still rely on outdated processes for operations. It is no longer acceptable to claim they aren’t aware that highly efficient, effective, and automated solutions exist to save time, money, and risk. Healthcare organizations must seek the right technologies and processes to protect the patient experience.”

While most patients (75%) said they feel confident that their healthcare providers are doing a good job at disclosing how payment information is secured, only 50% said they know where their payment data was stored. “As a patient, understanding where and how personal and payment information is stored is important to protect against potential fraud and breaches,” explained Semafone in the report. “Given the large number unaware of where their data is stored, providers have an opportunity to increase education and communication with patients to, in turn, improve the experience and overall sentiment toward the providers for the future.”

The post Most Patients Don’t Trust Their Healthcare Providers to Securely Store PII and Payment Information appeared first on HIPAA Journal.

Learnings from a Major Healthcare Ransomware Attack

One of the most serious healthcare ransomware attacks occurred in Ireland earlier this year. The Health Service Executive (HSE), the Republic of Ireland’s national health system, suffered a major attack that resulted in Conti ransomware being deployed and forced its National Healthcare Network to be taken offline. That meant healthcare professionals across the country were prevented from accessing all HSE IT systems, including clinical care systems, patient records, laboratory systems, payroll, and other clinical and non-clinical systems which caused major disruption to healthcare services across the country.

Following the attack, the HSE Board commissioned PricewaterhouseCoopers (PWC) to conduct an independent post-incident review into the attack to establish the facts related to technical and operational preparedness and the circumstances that allowed the attackers to gain access to its systems, exfiltrate sensitive data, encrypt files, and extort the HSE.

Cybersecurity Failures that are Common in the Healthcare Industry

PWC’s recently published report highlights a number of security failures that allowed HSE systems to be infiltrated. While the report is specific to the HSE cyberattack, its findings are applicable to many healthcare organizations in the United States that have similar unaddressed vulnerabilities and a lack of preparedness for ransomware attacks. The recommendations made by PWC can be used to strengthen defenses to prevent similar attacks from occurring.

While the HSE ransomware attack affected a huge number of IT systems, it started with a phishing email. An employee was sent an email with a malicious Microsoft Excel spreadsheet as an attachment on March 16, 2021. When the attachment was opened, malware was installed on the device. The HSE workstation had antivirus software installed, which could have detected the malicious file and prevented the malware infection; however, the virus definition list had not been updated for over a year, which rendered the protection near to non-existent.

From that single infected device, the attacker was able to move laterally within the network, compromise several accounts with high-level privileges, gain access to large numbers of servers, and exfiltrate data ‘undetected’.  On May 14, 2021, 8 weeks after the initial compromise, Conti ransomware was extensively deployed and encrypted files. The HSE detected the encryption and shut down the National Health Network to contain the attack, which prevented healthcare professionals across the country from accessing applications and essential data.

During the 8 weeks that its systems were compromised, suspicious activity was detected on more than one occasion which should have triggered an investigation into a potential security breach, but those alerts were not acted upon. Had they been investigated the deployment of ransomware could have been prevented and potentially also the exfiltration of sensitive data.

Simple Techniques Used to Devastating Effect

According to PWC, the attacker was able to use well-known and simple attack techniques to move around the network, identify and exfiltrate sensitive data, and deploy Conti ransomware over large parts of the IT network with relative ease. The attack could have been far worse. The attacker could have targeted medical devices, destroyed data at scale, used auto-propagation mechanisms such as those used in the WannaCry ransomware attacks, and could also have targeted cloud systems.

The HSE made it clear that it would not be paying the ransom. On May 20, 2021, 6 days after the HSE shut down all HSE IT system access to contain the attack, the attackers released the keys to decrypt data. Had it not been for a strong response to the attack and the release of the decryption keys the implications could have been much more severe. Even with the keys to decrypt data it took until September 21, 2021, for the HSE to successfully decrypt all of its servers and restore around 99% of its applications. The HSE estimated the cost of the attack could rise to half a billion Euros.

Ireland’s Largest Employer Had No CISO

PWC said the attack was possible due to a low level of cybersecurity maturity, weak IT systems and controls, and staffing issues.  PWC said there was a lack of cybersecurity leadership, as there was no individual in the HSE responsible for providing leadership and direction of its cybersecurity efforts, which is very unusual for an organization with the size and complexity of the HSE. The HSE is Ireland’s largest employer and had over 130,000 staff members and more than 70,000 devices at the time of the attack, but the HSE only employed 1,519 staff in cybersecurity roles. PWC said employees with responsibility for cybersecurity did not have the necessary skills to perform the tasks expected of them and the HSE should have had a Chief Information Security Officer (CISO) with overall responsibility for cybersecurity.

Lack of Monitoring and Insufficient Cybersecurity Controls

The HSE did not have the capability to effectively monitor and respond to security alerts across its entire network, patching was sluggish and updates were not applied quickly across the IT systems connected to the National Health Network. The HSE was also reliant on a single anti-malware solution which was not being monitored or effectively maintained across its entire IT environment. The HSE also continued to use legacy systems with known security issues and remains heavily reliant on Windows 7.

“The HSE is operating on a frail IT estate that has lacked the investment over many years required to maintain a secure, resilient, modern IT infrastructure. It does not possess the required cybersecurity capabilities to protect the operation of the health services and the data they process, from the cyber attacks that all organizations face today,” concluded PWC. “It does not have sufficient subject matter expertise, resources, or appropriate security tooling to detect, prevent or respond to a cyber attack of this scale. There were several missed opportunities to detect malicious activity, prior to the detonation phase of the ransomware.”

Similar vulnerabilities in people, processes, and technology can be found in many health systems around the world, and the PWC recommendations can be applied beyond the HSE to improve cybersecurity and make it harder for attacks such as this to succeed.

The PWC report, recommendations, and learnings from the incident can be found here (PDF).

The post Learnings from a Major Healthcare Ransomware Attack appeared first on HIPAA Journal.

CISA Publishes Mobile Device Cybersecurity Checklist for Organizations

The Cybersecurity and Infrastructure Security Agency (CISA) has published new guidance for enterprises to help them secure mobile devices and safely access enterprise resources using mobile devices.

The Enterprise Mobility Management (EMM) system checklist has been created to help businesses implement best practices to mitigate vulnerabilities and block threats that could compromise mobile devices and the enterprise networks to which they connect. The steps outlined in the checklist are easy for enterprises to implement and can greatly improve mobile device security and allow mobile devices to be safely used to access business networks.

CISA recommends a security-focused approach to mobile device management. When selecting mobile devices that meet enterprise requirements, an assessment should be performed to identify potential supply chain risks. The Mobile Device Management (MDM) system should be configured to update automatically to ensure it is always running the latest version of the software and patches are applied automatically to fix known vulnerabilities.

A policy should be implemented for trusting devices, with access to enterprise resources denied if the device does not have the latest patch level, has not been configured to enterprise standards, is jailbroken or rooted, and if the device is not continuously monitored by the EMM.

Strong authentication controls need to be implemented, including strong passwords/PINs, with PINs consisting of a minimum of 6 digits. Wherever possible, face or fingerprint recognition should be enabled. Two-factor authentication should be implemented for enterprise networks that require a password/passphrase plus one additional method of authentication such as an SMS message, rotating passcode, or biometric input.

CISA recommends practicing good app security, including only downloading apps from trusted app stores, isolating enterprise applications, minimizing PII stored in apps, disabling sensitive permissions, restricting OS/app synchronization, and vetting enterprise-developed applications.

Network communications should be protected by disabling unnecessary network radios (Bluetooth, NFC, Wi-Fi, GPS) when not in use, disabling user certificates, and only using secure communication apps and protocols such as a VPN for connecting to the enterprise network.

Mobile devices should be protected at all times. A Mobile Threat Defense (MTD) system should guard against malicious software that can compromise apps and operating systems and detect improper configurations. Devices should only be charged using trusted chargers and cables, and the lost device function should be enabled to ensure the devices are wiped after a certain number of incorrect login attempts (10 for example). It is also important to protect critical enterprise systems and prevent them from being accessed using mobile devices due to the risk of transferring malware.

The CISA mobile device cybersecurity checklist for organizations can be downloaded here.

The post CISA Publishes Mobile Device Cybersecurity Checklist for Organizations appeared first on HIPAA Journal.

Medical Devices Affected by 13 Siemens Nucleus RTOS TCP/IP Stack Vulnerabilities

13 vulnerabilities have been identified in the Siemens Nucleus RTOS TCP/IP stack that could potentially be exploited remotely by threat actors to achieve arbitrary code execution, conduct a denial-of-service attack, and obtain sensitive information.

The vulnerabilities, dubbed NUCLEUS:13, affect the TCP/IP stack and related FTP and TFTP services of the networking component (Nucleus NET) of the Nucleus Real-Time Operating System (RTOS), which is used in many safety-critical devices. In healthcare, Nucleus is used in medical devices such as anesthesia machines and patient monitors.

One critical vulnerability has been identified that allows remote code execution which has a CVSS v3 severity score of 9.8 out of 10. Ten of the vulnerabilities are rated high severity flaws, with CVSS scores ranging from 7.1 to 8.8. There are also two medium-severity flaws with CVSS scores of 6.5 and 5.3.

The vulnerabilities were identified by security researchers at Forescout Research Labs, with assistance provided by researchers at Medigate.

The vulnerabilities affect the following Nucleus RTOS products:

  • Capital VSTAR: All versions
  • Nucleus NET: All versions
  • Nucleus ReadyStart v3: All versions prior to v2017.02.4
  • Nucleus ReadyStart v4: All versions prior to v4.1.1
  • Nucleus Source Code: All versions

Identifying where vulnerable code has been used is a challenge. The researchers attempted to estimate the impact of the vulnerabilities based on evidence collected from the official nucleus website, the Shodan search engine, and the Forescout device cloud. Healthcare is the worst affected industry, with 2,233 vulnerable devices. 1,066 government devices were identified as vulnerable, with other vulnerable devices found in retail (348), financial (326), manufacturing (317), with 1,176 vulnerable devices found in other industry sectors. 76% of the vulnerable devices are used for building automation, 13% are used in operational technology, 4% for networking, 5% IoT, and 2% were computers running Nucleus.

The vulnerabilities were reported to Siemens under responsible disclosure guidelines and Siemens has made patches available to fix all of the identified vulnerabilities. Siemens said some of the flaws had been identified and addressed in previously released versions, but no CVEs were issued.

Applying patches to fix the vulnerabilities can be a challenge, especially for embedded devices and those of a mission-critical nature, such as devices used in healthcare settings.

If patches cannot be applied, Forescout and Siemens recommend implementing mitigating measures to reduce the potential for exploitation. Siemens recommends protecting network access to devices with appropriate mechanisms and ensuring the devices operate within protected IT environments that have been configured in accordance with Siemens’ operational guidelines.

Forescout has released an open-source script that uses active fingerprinting to detect devices running Nucleus for discovery and inventory purposes. After identifying devices, Forescout recommends enforcing segmentation controls and practicing proper network hygiene, including restricting external communication paths and isolating or containing vulnerable devices in zones until they can be patched.

In addition, all network traffic should be monitored for malicious traffic and progressive patches released by vendors of affected devices should be monitored. A remediation plan should be developed for all vulnerable assets that balances risk with business continuity requirements.

Specific mitigations recommended by Forescout are detailed in the table below:

Nucleus 13 Mitigations recommended by Forescout.

The post Medical Devices Affected by 13 Siemens Nucleus RTOS TCP/IP Stack Vulnerabilities appeared first on HIPAA Journal.

Vulnerabilities Identified in B. Braun Infusomat Space and Perfusor Space Infusion Pumps

B. Braun has released software updates to fix five vulnerabilities in its Infusomat Space and Perfusor Space Infusion Pumps. The vulnerabilities could be exploited remotely in a low complexity attack.

In North America, the flaws affect Battery pack SP with WiFi (All software Versions 028U000061 and earlier) that have been installed in an Infusomat Space Infusion Pump or a Perfusor Space Infusion pump, and SpaceStation with SpaceCom 2 (All software Versions 012U000061 and earlier). The vulnerabilities were identified by Douglas McKee and Philippe Laulheret of McAfee, who reported them to B. Braun.

The most serious vulnerability is a critical flaw in B. Braun SpaceCom2 that has been assigned a CVSS severity score of 9 out of 10. The flaw – tracked as CVE-2021-33885 – is due to insufficient verification of data authenticity and could be exploited by a remote attacker to send malicious data to the device, which would be used in place of the correct data.

An improper input validation flaw – CVE-2021-33886 – would allow a remote unauthenticated attacker to gain user-level command-line access by passing a raw external string straight through to printf statements, although the attacker would need to be on the same network as the device, which limits the potential for exploitation. The flaw has been assigned a CVSS score of 6.8.

A missing authentication for critical function vulnerability – CVE-2021-33882 – could be exploited by a remote attacker to reconfigure the device from an unknown source, due to the lack of authentication on proprietary networking commands. The flaw has also been assigned a CVSS score of 6.8.

Due to unrestricted uploads of dangerous file types, a remote attacker could upload a malicious file to the /tmp directory of the device through the webpage API, which could result in critical files being overwritten affecting device functionality. The flaw is tracked as CVE-2021-33884 and has a CVSS severity score of 6.5.

The last vulnerability is an information exposure issue that could allow an attacker to obtain critical values for a pump’s internal configuration due to the transmission of sensitive information in cleartext. The flaw is tracked as CVE-2021-33883 and has been assigned a CVSS severity score of 5.9.

  1. Braun has fixed the flaws in the following software updates:
  • Battery pack SP with Wi-Fi, software 028U00062 (SN 138852 and lower)
  • Battery pack SP with Wi-Fi, software 054U00091 (SN 138853 and higher)
  • SpaceStation with SpaceCom 2 software Versions 012U000083

At present, there have been no reported cases of exploitation of the flaws; however, the updates should be applied as soon as possible.

B.Braun also recommends ensuring infusion pumps are housed in separate environments that are protected by firewalls or VLANs, that authentication measures are put in place to prevent unauthorized access, and that the devices are not directly accessible over the Internet. If remote access is required, secure methods of access should be used, such as a Virtual Private Network (VPN).

The post Vulnerabilities Identified in B. Braun Infusomat Space and Perfusor Space Infusion Pumps appeared first on HIPAA Journal.

KLAS Research: Clinical Communication Platforms Improve Efficiency in Healthcare

The recently published 2021 KLAS Clinical Communication Platform Report has confirmed clinical communication platforms improve efficiency in healthcare, streamline communication across most areas of hospitals, and lead to concrete outcomes, with improvements to clinical communication the biggest benefit.

KLAS Research is a Utah-based company that provides data and insights into health information technology (HIT) that helps healthcare organizations identify HIT solutions that will provide important benefits and a good ROI. KLAS collects data on HIT solutions, including from healthcare industry reports, websites, and feedback from healthcare professionals that are using HIT in the workplace. KLAS analyzes the data, identifies key trends and insights, and produces reports on the findings of its research. The researchers also work with leadership teams at vendors to help them improve their HIT solutions based on user feedback to help them deliver better outcomes.

For its latest Clinical Communication Platform Report, KLAS researchers profiled some of the most innovative and cutting-edge vendors in the field whose solutions are delivering invaluable benefits in healthcare and users of clinical communication platforms were surveyed and asked for their feedback on the solutions they have adopted.

TigerConnect, the leading clinical communication platform provider in the United States, was recognized as having the largest base of acute care customers and for the value its clinical communication platform delivered. Feedback from healthcare professionals that use the platform confirmed it has led to improved efficiency for clinical support staff and improved nurse satisfaction and patient satisfaction and care through timely, efficient communication.

The top outcomes healthcare delivery organizations have achieved by implementing the TigerConnect platform are improved clinician response times, increased transparency into patient teams and schedules, and increased clinician workflow satisfaction with fewer call interruptions and much easier access to communication. TigerConnect customers confirmed the solution has helped improve patient team collaboration in terms of patient transport, bed management and environmental services, increased access to and the secure sharing of patient data, more efficient clinics and outpatient care, and a reduction in readmissions, fewer errors, and a faster crash team response.

“Our administration uses TigerConnect’s solution. If people ask for TigerConnect accounts, we can give them accounts. I don’t know how we would have been able to get through the COVID-19 pandemic without this solution,” said one TigerConnect user.

The solution was highly praised for ease of use coupled with enterprise contracting, which allows simple rollouts by many different user groups to achieve organization-wide efficient communication.

“One outcome that we have achieved with TigerConnect’s solution has been improved communication between our nurses, providers and administration. We can just text someone in administration rather than having to know their personal phone number.,” said one TigerConnect user. “The value of adding two-way asynchronous communication in our clinical areas has been huge. They can always put themselves on ‘do not disturb’ if they don’t want people to text them. When nurses or providers are actively engaged with patients, they can get the information they need with the system, and then return that information.”

This year has seen TigerConnect roll out significant feature enhancements based on customer feedback, and the company has also made key acquisitions of on-call physician scheduling and advanced middleware solutions, deepening the capabilities of its platform considerably.

“2021 has proven a tipping point as healthcare systems evolve their requirements from secure messaging to the most contextual, advanced clinical collaboration experiences. Clinicians are demanding an all-in-one mobile collaboration experience that helps them raise the standard of care and improve patient outcomes,” said Will O’Connor, MD, TigerConnect Chief Medical Information Officer. “The KLAS report validates TigerConnect in our vision to make hospitals and care delivery more agile.”

The post KLAS Research: Clinical Communication Platforms Improve Efficiency in Healthcare appeared first on HIPAA Journal.

NSA/CISA Issue Guidance on Selecting Secure VPN Solutions and Hardening Security

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued new guidance on selecting and improving the security of Virtual Private Networks (VPN) solutions.

VPN solutions allow remote workers to securely connect to business networks. Data traffic is routed through an encrypted virtual tunnel to prevent the interception of sensitive data and to block external attacks. VPNs are an attractive targeted for hackers, and vulnerabilities in VPN solutions have been targeted by several Advanced Persistent Threat (APT) groups. APT actors have been observed exploiting vulnerabilities in VPN solutions to remotely gain access to business networks, harvest credentials, remotely execute code on the VPN devices, hijack encrypted traffic sessions, and obtain sensitive data from the devices.

Several common vulnerabilities and exposures (CVEs) have been weaponized to gain access to the vulnerable devices, including Pulse Connect Secure SSL VPN (CVE-2019-11510), Fortinet FortiOS SSL VPN (CVE-2018-13379), and Palo Alto Networks PAN-OS (CVE_2020-2050). In some cases, threat actors have been observed exploiting vulnerabilities in VPN solutions within 24 hours of patches being made available.

Earlier this year, the NSA and CISA issued a warning that APT groups linked to the Russian Foreign Intelligence Service (SVR) had successfully exploited vulnerabilities in Fortinet and Pulse Secure VPN solutions to gain a foothold in the networks of U.S. companies and government agencies. Chinese nation state threat actors are believed to have exploited a Pulse Connect Secure vulnerability to gain access to the networks of the U.S. Defense Industrial Base Sector. Ransomware gangs have similarly been targeting vulnerabilities in VPNs to gain an initial foothold in networks to conduct double-extortion ransomware attacks.

The guidance document is intended to help organizations select secure VPN solutions from reputable vendors that comply with industry security standards who have a proven track record of remediating known vulnerabilities quickly. The guidance recommends only using VPN products that have been tested, validated and included in the National Information Assurance Partnership (NIAP) Product Compliant List. The guidance recommends against using Secure Sockets Layer/Transport Layer Security (SSL/TLS) VPNs, which use non-standard features to tunnel traffic via TLS as this creates additional risk exposure.

The guidance document also details best practices for hardening security and reducing the attack surface, such as configuring strong cryptography and authentication, only activating features that are strictly necessary, protecting and monitoring access to and from the VPN, implementing multi-factor authentication, and ensuring patches and updates are implemented promptly.

The post NSA/CISA Issue Guidance on Selecting Secure VPN Solutions and Hardening Security appeared first on HIPAA Journal.

FTC Tells Developers of Health Apps and Wearable Devices to Notify Individuals About Data Breaches

Developers of health apps and wearable devices such as fitness trackers that collect health data have been warned by the Federal Trade Commission (FTC) that they are required to comply with the FTC Health Breach Notification Rule and must notify consumers about data breaches.

The FTC Health Breach Notification Rule was introduced in 2009 as part of the American Recovery and Reinvestment Act of 2009, and requires individuals to be notified if there is a breach of their health data. The Health Breach Notification Rule applies to vendors of personal health records and associated companies, but in a policy statement issued on September 16, 2021, the FTC said health apps and other connected devices that collect or use the health information of U.S. consumers are also covered by Rule. The policy statement was approved during an open meeting on Wednesday by a vote of 3-2.

The FTC Health Breach Notification Rule applies to health apps and wearable devices that collect health information from a consumer and can draw information from multiple sources, such as through an API that allows synching with a device such as a fitness tracker. Compliance will be enforced by the FTC, which has the authority to impose financial penalties. Those penalties can be as high as $43,792 for each day that notifications have not been issued.

Health apps can collect a wide range of sensitive personal and health data, either by directly recording the information through paired sensors, or by individuals entering the data into the apps manually. Health apps have been growing in popularity and usage has increased during the pandemic. Given the wide range of sensitive data stored by the apps, they are an attractive target for cybercriminals.

“As many Americans turn to apps and other technologies to track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, diet, and other vital areas, this Rule is more important than ever,” said the FTC in the policy statement.

A lot of the data collected by health apps would be considered protected health information if collected by a healthcare provider, which would mean the information would be subject to the restrictions on uses and disclosures stipulated by the HIPAA Privacy Rule. Safeguards would need to be implemented to secure the data, in accordance with the HIPAA Security Rule, and a breach of health data would require notifications per the HIPAA Breach Notification Rule. However, unless a health app is developed for use by a HIPAA-covered entity, it falls outside of HIPAA protections.

Health apps often have security features to protect the privacy of users, but they are often limited. There have been calls for HIPAA to be extended to cover health app developers to improve privacy protections for users, or to implement new legislation covering these apps that requires certain standards of privacy and security to be adopted.

The FTC policy statement will at least help to ensure that users of health apps and wearable devices will be notified should a data breach occur, which will allow them to take steps to protect their identities and prevent fraud.

“While this Rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics,” said FTC Chair Lina M. Khan. “Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk.”

The post FTC Tells Developers of Health Apps and Wearable Devices to Notify Individuals About Data Breaches appeared first on HIPAA Journal.