FDA and DHS to Increase Collaboration and Better Coordinate Efforts to Improve Medical Device Cybersecurity

The U.S. Food and Drug Administration (FDA) and the Department of Homeland Security (DHS) have announced a memorandum of agreement to implement a new framework to increase collaboration and improve coordination of their efforts to increase medical device security.

The security of medical devices has long been a concern. Cybersecurity flaws in medical devices could potentially be exploited to cause patients harm, and with an increasing number of medical devices now connecting to healthcare networks, it is more important than ever to ensure adequate protections are in place to ensure patient safety and threats are rapidly identified, addressed and mitigated.

Medical devices are a potential weak point that could be exploited to gain access to healthcare networks and sensitive data, they could be used to gain a foothold to launch further cyberattacks that could prevent healthcare providers from providing care to patients. Vulnerabilities could also be exploited to deliberately cause harm to patients. While the latter is not believed to have occurred to date, it is a very real possibility.

Both the FDA and DHS are aware of the threat posed by medical devices and have working to strengthen cybersecurity. The two agencies have collaborated in the past on medical device cybersecurity and vulnerability disclosures, although the new agreement formalizes the relationship between the two agencies.

The FDA has been proactive in developing a robust program to address medical device cybersecurity concerns,” explained FDA Commissioner Scott Gottlieb, M.D. “But we also know that securing medical devices from cybersecurity threats cannot be achieved by one government agency alone.”

Under the new agreement, information sharing will be increased between the two federal agencies to improve understanding of new medical device security threats. When vulnerabilities are discovered, both departments will work closely together to assess the risk that the vulnerabilities pose to patient safety. The agencies will also coordinate the testing of the vulnerabilities.

By working more closely together, the two agencies will be able to eliminate duplication of activities and will be able to work more efficiently at identifying and mitigating threats. “Through this agreement, both agencies are renewing their commitment to working with not only each other, but also all stakeholders to create an environment of shared responsibility when it comes to coordinated vulnerability disclosure for identifying and addressing cybersecurity risks,” wrote the FDA.

DHS will remain as the central coordination center for medical device vulnerabilities through the National Cybersecurity and Communications Integration Center (NCCIC), which will continue to be responsible for coordinating information sharing between medical device manufacturers, security researchers and the FDA.

The FDA’s Center for Devices and Radiological Health will use its considerable technical and clinical expertise to assess the risk vulnerabilities pose to patient health and the potential for patients to come to harm from exploitation of vulnerabilities. This information will then be shared with DHS through regular, ad hoc, and emergency communication calls.

“Ensuring our ability to identify, address and mitigate vulnerabilities in medical devices is a top priority, which is why DHS depends on our important partnership with the FDA to collaborate and provide actionable information. This agreement is another important step in our collaboration,” said Christopher Krebs, Undersecretary for the National Protection and Programs Directorate at DHS.

The post FDA and DHS to Increase Collaboration and Better Coordinate Efforts to Improve Medical Device Cybersecurity appeared first on HIPAA Journal.

Updated Tools for Your HIPAA Toolkit: Security Risk Assessment – Lexology


The Daily Swig
Updated Tools for Your HIPAA Toolkit: Security Risk Assessment
Lexology
The new tool provides a more user friendly format for an organization to step through common threats and vulnerabilities to be addressed under the HIPAA Security Rule. Unlike the prior version, the updated tool also provides summary information in a ...
Anthem pays out record $16m over data breach | The Daily SwigThe Daily Swig
Anthem Agrees to $16 Million Settlement Following Compromise of 80 Million Health RecordsSecurity Boulevard
HHS updates security risk assessment toolBecker's Hospital Review
Newsmax
all 27 news articles »

United States: Are Non-Covered Activities And Programs At Your Campus/Institution Leaving You Overly Vulnerable To … – Mondaq News Alerts

United States: Are Non-Covered Activities And Programs At Your Campus/Institution Leaving You Overly Vulnerable To ...
Mondaq News Alerts
HIPAA defines a hybrid entity as a single legal entity that is a covered entity; whose business activities include both covered and non-covered functions; and that self-designates the health care components that it provides. Covered functions include ...

Webinar: TitanHQ and Datto Networking Discuss Enhanced Web Content Filtering

Earlier this year, spam and web filtering solution provider TitanHQ partnered with Datto Networking, the leading provider of MSP-delivered IT solutions to SMBs.

The new partnership has allowed Datto to enhance security on the Datto Networking Appliance with enterprise-grade web filtering technology supplied by TitanHQ.

The new web filtering functionality allows users of the appliance to carefully control the web content that can be accessed by employees and guests and provides superior protection against the full range of web-based threats.

TitanHQ and Datto Networking will be holding a webinar that will include an overview of the solution along with a deep dive into the new web filtering functionality.

Webinar Details:

Datto Networking & Titan HQ Deliver Enhanced Web Content Filtering

Date: Thursday, October 18th

Time: 11AM ET | 8AM PT | 4PM GMT/BST

Speakers:

John Tippett, VP, Datto Networking

Andy Katz, Network Solutions Engineer

Rocco Donnino, EVP of Strategic Alliances, TitanHQ

Click here to register for the webinar

The post Webinar: TitanHQ and Datto Networking Discuss Enhanced Web Content Filtering appeared first on HIPAA Journal.

The HIPAA Risk Analysis: Guidance and Tools for HIPAA Covered Entities and Business Associates

The HIPAA Risk analysis is a foundational element of HIPAA compliance, yet it is something that many healthcare organizations and business associates get wrong. That places them at risk of experiencing a costly data breach and a receiving a substantial financial penalty for noncompliance.

The HIPAA Risk Analysis

The administrative safeguards of the HIPAA Security Rule require all HIPAA-covered entities to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.” See 45 C.F.R. § 164.308(u)(1)(ii)(A).

The risk analysis is a foundational element of HIPAA compliance and is the first step that must be taken when implementing safeguards that comply with and meet the standards and implementation specifications of the HIPAA Security Rule.

If a risk analysis is not conducted or is only partially completed, risks are likely to remain and will therefore not be addresses through an organization’s risk management process – See § 164.308(u)(1)(ii)(B) – and will not be reduced to a reasonable and appropriate level to comply with the § 164.306 (a) Security standards: General Rules.

A HIPAA risk analysis is also necessary to determine whether it is reasonable and appropriate to use encryption or whether alternative safeguards will suffice – See 45 C.F.R. §§ 164.312(a)(2)(iv) and (e)(2)(ii).

A risk analysis should also be used to guide organizations on authentication requirements – See 45 C.F.R. § 164.312(c)(2) – and the methods that should be used to protect ePHI in transit – See 45 C.F.R. § 164.312(c)(2).

If risks are allowed to persist, they can potentially be exploited by hackers and other malicious actors resulting in impermissible disclosures of ePHI.

During investigations of data breaches, the Department of Health and Human Services’ Office for Civil Rights looks for HIPAA compliance failures that contributed to the cause of the breach. One of the most common violations discovered is a failure to conduct a comprehensive, organization-wide risk analysis. A high percentage of OCR resolution agreements cite a risk analysis failure as one of the primary reasons for a financial penalty.

Requirements of a HIPAA Risk Analysis

The HIPAA Security Rule states that a risk analysis is a required element of HIPAA compliance, but does not explain what the risk analysis should entail nor the method that should be used to conduct a risk analysis. That is because there is no single method of conducting a risk analysis that will be suitable for all organizations, nor are there any specific best practices that will ensure compliance with this element of the HIPAA Security Rule.

OCR has explained the requirements of a HIPAA risk analysis on the HHS website. HHS guidance on risk analysis requirements of the HIPAA Security Rule is also available as a downloadable PDF (36.1 KB), with further information available in the NIST Risk Management Guide for Information Technology Systems – Special Publication 800-30 (PDF – 480 KB).

A Security Risk Assessment Tool to Guide HIPAA-Covered Entities Through a HIPAA Risk Analysis

The risk analysis process can be a challenge. To make the process easier, the HHS’ Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the Office for Civil Rights, has developed a downloadable security risk assessment tool that guides HIPAA-covered entities through the process of conducting a security risk assessment.

After downloading and installing the tool, healthcare organizations can enter information and a report will be generated that helps them determine risks in policies, processes and systems and details some of the methods that can be used to mitigate weaknesses when the user is performing a risk assessment.

On October 15, 2018, ONC updated the tool (version 3.0). The aim of the update was “to make it easier to use and apply more broadly to the risks of the confidentiality, integrity, and availability of health information. The tool diagrams HIPAA Security Rule safeguards and provides enhanced functionality to document how your organization implements safeguards to mitigate, or plans to mitigate, identified risks,” wrote ONC.

The new features include an updated and enhanced user interface, a modular workflow, custom assessment logic, a progress tracker, threat and vulnerability ratings, more detailed reports, assess tracking, business associate track, and several enhancements to improve the user experience.

Use of the tool will not guarantee compliance with HIPAA or other federal, state, or local laws, but it is incredibly useful tool for guiding HIPAA-covered entities and business associates through the process of conducting a HIPAA-compliant risk analysis.

The updated Security Risk Assessment Tool can be downloaded from the HealthIT.gov website on this link.

The post The HIPAA Risk Analysis: Guidance and Tools for HIPAA Covered Entities and Business Associates appeared first on HIPAA Journal.

Are Non-Covered Activities And Programs At Your Campus/Institution Leaving You Overly Vulnerable to HIPAA? A … – JD Supra (press release)


JD Supra (press release)
Are Non-Covered Activities And Programs At Your Campus/Institution Leaving You Overly Vulnerable to HIPAA? A ...
JD Supra (press release)
HIPAA defines a hybrid entity as a single legal entity that is a covered entity; whose business activities include both covered and non-covered functions; and that self-designates the health care components that it provides. Covered functions include ...