HHS Provides New Resources and Cybersecurity Training Program to Combat Healthcare Cyber Threats

Posted by HIPAA Journal

The Department of Health and Human Services’ Cybersecurity Task Force has shared new resources to help healthcare and public health (HPH) sector organizations combat the growing number of cyberattacks targeting the sector and improve their cybersecurity posture.

The new resources include a new online educational platform that delivers free cybersecurity training that can be used by HPH organizations to raise the security awareness of the workforce, an updated edition of the Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients, which details the top cyber threats faced by the HPH sector, and a report on the current state of cybersecurity preparedness of hospitals, measured against the NIST Cybersecurity Framework.

The online training platform – Knowledge on Demand – is the first free cybersecurity training platform to be offered by the HHS. The platform includes training material on the most pertinent threats to the HPH sector and, at launch, includes training on five cybersecurity topics – Social engineering, ransomware, loss/theft of computer equipment and data, accidental and malicious insider data loss, and attacks on network-connected medical devices. The platform includes videos, job aids, and PowerPoint presentations. The training materials can be used to help HPH organizations comply with the security awareness training requirements of the HIPAA Security Rule.

The updated HCIP publication has been developed to be appropriate for healthcare organizations of all sizes and includes security best practices and resources to help healthcare organizations prepare for and defend against cybersecurity threats that impact patient safety, including the same five key threats that are covered in the Knowledge on Demand training material. The 47-page document was developed by the 405(d) Task Group and was updated by more than 150 industry and federal professionals and includes the most cost-effective measures to protect against HPH sector cybersecurity threats and protect patients.

The Hospital Cyber Resiliency Landscape Analysis was conducted by the 405(d) Program and is a review of the current state of cybersecurity at the hundreds of participating hospitals and assesses their preparedness to deal with cyber threats and their cybersecurity capabilities and level of cyber resiliency. The document explores the tactics, techniques, and procedures that cyber adversaries are currently using to compromise U.S. hospitals and disrupt operations for financial gain, and benchmarks the results against specific practices outlined in the HCIP. The document identifies best practices and opportunities to improve cyber resiliency.

The post HHS Provides New Resources and Cybersecurity Training Program to Combat Healthcare Cyber Threats appeared first on HIPAA Journal.

Employer Ordered to Pay $15,000 Damages for Retaliation Against COVID-19 Whistleblower

Posted by HIPAA Journal

An employee who was fired after raising COVID-19 safety concerns will receive $15,000 in damages after the Occupational Safety and Health Administration (OSHA) found the employer violated the whistleblower protections of the Occupational Safety and Health (OSH) Act.

In December 2020 during the COVID-19 pandemic, an employee of a luxury car dealership in Austin, Texas, discovered another employee had tested positive for COVID-19. The management was notified, and the employee requested that the management notify other employees at the dealership immediately to alert them to the potential exposure to COVID-19. Management took no action, so the employee sent an email to all company employees to alert them about the potential hazard and was fired within an hour.

OSHA launched an investigation into potential violations of the OSH Act by the dealership, specifically, whether the whistleblower protections under section 11(c) of the OSH Act were violated. These protections prohibit employers from retaliating against workers who blow the whistle by exposing health and safety hazards in the workplace. OSHA determined that the employee had exercised their legal rights under the OSH Act and the termination was illegal.

In October 2021, the U.S. Department of Labor filed a lawsuit in the U.S. District Court for the Western District of Texas, Austin Division, against the auto dealership, Hi Tech Imports. The lawsuit sought reinstatement, lost wages and benefits resulting from the termination, reimbursement for costs and expenses, compensatory damages, and exemplary or punitive damages. On March 20, 2023, the Department of Labor obtained a consent judgment that requires Hi Tech Imports LLC – dba Porsche Austin – to pay the employee $15,000 in compensatory damages and the court forbade the dealership from discriminating against employees in the future for voicing concerns about safety and health in the workplace.

“When employers retaliate against their workers for voicing safety and health concerns, the U.S. Department of Labor will work vigorously to protect workers’ rights,” said Regional Solicitor of Labor John Rainwater in Dallas. “The department is dedicated to ensuring safe and healthful working conditions as required by federal law. No employee should fear their employer for reporting legitimate safety concerns.”

On July 26, 2022, OSHA and the National Labor Relations Board resolved a related case through an agreement with Hi Tech Motorcars LLC, Hi Tech Imports LLC, Hi Tech Luxury Imports LLC, Hi Tech Partners LLC to pay $116,231 in back wages and reinstate the employee to their previous position.

The post Employer Ordered to Pay $15,000 Damages for Retaliation Against COVID-19 Whistleblower appeared first on HIPAA Journal.