CISA Updates its Zero Trust Maturity Model

Posted by HIPAA Journal

The Cybersecurity and Infrastructure Security Agency (CISA) has released an updated version of its Zero Trust Maturity Model, the purpose of which is to help federal agencies adopt zero trust security. While the guidance is primarily intended for federal agencies, it can be used by any organization looking to improve its security posture through zero trust.

The traditional approach to security involves perimeter defenses to keep unauthorized individuals out of protected internal networks, where anyone inside the network is trusted. The perimeter security model has served organizations well for many years, but it is only effective when there is a border to protect and the vast majority of IT resources and critical assets are inside that border. Today, most networks are not entirely on-premises and remote working is now common, so many trusted individuals are outside of the border. Further, with perimeter security, if the perimeter is breached, an attacker could compromise large parts of the network, IT resources, and critical data. Zero trust is based on the assumption that a network has already been compromised and limits access to data, networks, and infrastructure to the minimum level, then constantly assesses the legitimacy of access through continuous verification.

CISA’s Zero Trust Maturity Model is based on 5 pillars – identity, devices, network, data, and applications and workloads – and can be used to assess the current level of zero trust maturity. Version 2 of the Zero Trust Security Model incorporates recommendations collected through the public comment period and sees the addition of a new maturity stage. There are now four maturity stages in the model – traditional, initial, advanced, and optimal. ‘Initial’ was added as CISA recognizes that organizations have different starting points on their journey to zero trust.

The updated Model also includes several new functions and updates to existing functions, which organizations should consider when they plan and make decisions about zero trust architecture implementation. The updated maturity model also provides a gradient of implementation across each of the five pillars to facilitate the implementation of zero trust, supporting organizations as they make minor advancements on their journey toward the full implementation of zero trust architecture.

“CISA has been acutely focused on guiding agencies, who are at various points in their journey, as they implement zero trust architecture,” said Chris Butera, Technical Director for Cybersecurity, CISA. “As one of many roadmaps, the updated model will lead agencies through a methodical process and transition towards greater zero trust maturity.

The post CISA Updates its Zero Trust Maturity Model appeared first on HIPAA Journal.

Online Alcohol Counseling Service Provider Reports 109K-record Tracking Tool Data Breach

Posted by HIPAA Journal

Monument Inc., a New York-based online alcohol addiction and treatment service provider, has recently notified almost 109,000 individuals about an impermissible disclosure of some of their personal and protected health information. The disclosure occurred due to the use of tracking code on its websites.

Monument explained in its breach notification letters that an internal review was conducted in late 2022 into the use of website tracking tools after guidance was issued by the HHS’ Office for Civil Rights on pixels and other tracking tools and how they may violate the HIPAA Rules. The internal review was completed on or around February 6, 2023, and it was determined that the tools on its websites potentially transferred identifiable protected health information to third parties who were unauthorized to receive the information, as consent to disclose that information was not obtained and there were no business associate agreements with the companies that provided the tools.

The tracking tools were provided by Google, Facebook (Meta), Pinterest, and Bing, and while present on the websites, the tools may have transferred names, birth dates, telephone numbers, email addresses, Monument IDs, insurance member IDs, unique digital IDs, photographs, uniform resource locators, assessments and survey, selected services and plans, appointment information, and associated health information. The types of information disclosed varied from individual to individual depending on their interactions on the websites.

The tracking tools were added to Monument websites in January 2020, and were present on the websites Tempest since November 2017. Monument acquired Tempest in May 2022. Monument said it fully disconnected its websites from the tools on February 23, 2023, and has terminated third-party advertising relationships with the providers of the tracking tools. In the future, Monument will only use third-party vendors that meet HIPAA requirements and other privacy laws.

The decision was taken to notify all Monument members, even if they did not create an account or did not go on to become patients of Monument or Tempest’s medical groups (Live Life Now Health Group and Purdy Medical Corp). While there is no evidence of misuse of the disclosed information, affected individuals have been offered free membership to a credit monitoring service.

Monument is the latest healthcare organization to issue notifications about tracking tool-related data breaches over the past few months since these tools were discovered to be sending sensitive data to third parties. A recent study by researchers at the University of Pennsylvania suggests 99% of hospitals in the U.S. use tracking tools on their websites, while a study by The Markup indicates these tools are extensively used by online counseling service providers.

These impermissible disclosures have sparked several lawsuits and while there has been no action taken by OCR in response to these breaches, the Federal Trade Commission has taken action against non-HIPAA-covered entities such as GoodRx and Betterhelp.

The post Online Alcohol Counseling Service Provider Reports 109K-record Tracking Tool Data Breach appeared first on HIPAA Journal.