A bipartisan Senate bill has been introduced that aims to improve healthcare cybersecurity and ensure that the Department of Health and Human Services (HHS) is implementing effective cybersecurity measures to combat evolving cyber threats. In 2023, record numbers of healthcare records were compromised, and more data breaches were reported than in any other year to date. More than 133 million healthcare records were compromised in 2023 across more than 725 reported breaches, the majority of which were hacking incidents.

Healthcare organizations must ensure that they are compliant with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, which sets minimum standards for cybersecurity. The HHS is the main enforcer of compliance with the HIPAA Rules and issues guidance on healthcare cybersecurity. The HHS also manages the health data of approximately 65 million Americans who receive healthcare services through Medicare. As such, it is vital that the cybersecurity measures at the HHS are robust and capable of defending against evolving cyber threats.

The Strengthening Cybersecurity in Health Care Act was introduced by Senator Angus King (I-MA), Co-Chair of the Cybersecurity Solarium Commission and a member of the Senate Armed Services (SASC) and Intelligence Committees (SSCI), and Senator Marco Rubio (R-FL) and takes aim at the HHS and the cybersecurity protocols and practices that the HHS has introduced to combat evolving cyber threats.

“In recent years, several of Maine’s major healthcare providers have been the victims of cyberattacks. This threat to America’s critical infrastructure is real, and could literally mean the difference between life and death — we must take proactive steps to enhance the cybersecurity of our healthcare and public health sectors,” said Senator King. “The bipartisan Strengthening Cybersecurity in Health Care Act would help ensure that health institutions have the resources to keep patient data safe. As the number of threats continues to grow, consistent evaluations will prove to be a lifeline to the medical community treating our family and friends.”

The Strengthening Cybersecurity in Health Care Act requires the Inspector General of the HHS to evaluate the cybersecurity practices and protocols of the HHS. At least every two years, cybersecurity reviews and penetration tests should be conducted on HHS IT systems, and biennial reports should be submitted to Congress on the current cybersecurity practices at the HHS and its progress on future security practices that it is working on.

The post Bipartisan Bill Aims to Ensure the HHS is Implementing Effective Cybersecurity Measures appeared first on HIPAA Journal.

An amended Federal Trade Commission (FTC) complaint against the data broker Kochava has survived a motion to dismiss. Idaho District Court Judge, B. Lynn Winmill, dismissed the first FTC complaint in May 2022 as the FTC failed to establish that the business practices of Kochava constituted a substantial injury to consumers. In dismissing the complaint, Judge Winmill permitted the FTC to file an amended complaint, which the FTC did in June 2023.

In its complaints, the FTC accused Kochava of invading consumers’ privacy and exposing them to risk by selling their precise geolocation information and other sensitive data to third parties. Geolocation data reveals consumers’ visits to sensitive locations such as abortion clinics, places of worship, addiction treatment facilities, and shelters for survivors of domestic abuse. The FTC explained in its complaint that Kochava obtains sensitive data from other data brokers and does not interact directly with consumers; however, the data amassed by Kochava and sold through its Kochava Collective product is highly granular and contains detailed information about the precise movements of consumers.

The precise geolocation information is obtained from mobile phones which are associated with a persistent and individual identifier. The geolocation data includes consumers’ movements over days, weeks, months, or even years and is accurate to a few meters. As such, it is possible to tell which buildings consumers are in, and in some cases, even the room they are in. The data sold by Kochava directly links to the geolocation data and can include information such as names, addresses, email addresses, and phone numbers. Kochava also collects and sells enormous amounts of additional private and sensitive information of consumers.

Kochava sells data in different forms in the Kochava Collective, which includes precise geolocation data, comprehensive profile of individual consumers (database graph), tracking consumers’ uses of mobile apps (App Graph), and audience segments, which categorize consumers based on identified sensitive and personal characteristics and attributes. The FTC explained in the amended complaint that Kochava’s customers can and do purchase that data and provided an example of the level of detailed information that can be purchased. “Kochava’s data identifies, for example, a woman who visits a particular building, the woman’s name, email address, and home address, and whether the woman is African-American, a parent (and if so, how many children), or has an app identifying symptoms of cancer on her phone.” The FTC said Kochava makes it clear to potential buyers that the purpose of the Kochava Collective is to sell this level of granular consumer data.

The FTC alleges the sale of this information harms consumers in two ways. Consumers are put at risk of suffering secondary harms such as discrimination, stigma, emotional distress, and physical violence, and secondly, it invades their privacy. While the initial complaint failed to sufficiently allege a substantial injury, Judge Winmill ruled that the FTC included sufficient facts in its amended complaint to support both types of harm and the detail was sufficient to satisfy the liberal plausibility standard that the alleged practices of Kochava may violate Section 5 of the FTC Act which covers unfair business practices.

While Kochava’s motion to dismiss was denied, the company still believes that it will prevail. A spokesperson for Kochava said, “Kochava has always operated consistently and proactively in compliance with all rules and laws, including those specific to privacy.” Prior to the FTC complaint being filed, Kochava had already implemented measures to protect consumer privacy, including implementing the Privacy Block feature, which blocks geolocation data from sensitive locations such as those stated in the FTC complaint.

The FTC has been pursuing data brokers over the sale of sensitive data to third parties and recently announced settlements with X-Mode Social/Outlogic and InMarket Media, which the FTC claims have put companies on notice that the period of unchecked monetization and surveillance of consumers’ sensitive data is over.

The post FTC’s Amended Complaint Against Kochava Survives Motion to Dismiss appeared first on HIPAA Journal.

The Government Accountability Office (GAO) has found that most federal agencies that manage risk for critical infrastructure sectors have assessed or plan to assess risks associated with ransomware, but they have not gauged the use of leading cybersecurity practices nor determined whether federal support has effectively managed risks in critical infrastructure sectors. Ransomware attacks have increased over the past few years and organizations in critical infrastructure sectors are being extensively targeted. According to the Department of the Treasury, the total value of ransomware attacks in the United States reached $886 million in 2021, up 68% from the previous year. Many of the attacks have been on healthcare organizations and have negatively affected patients by causing delays in treatment and diagnosis.

According to the Federal Bureau of Investigation (FBI), 870 critical infrastructure organizations were affected by ransomware attacks in 2022 and almost half of those attacks were on four critical infrastructure sectors – critical manufacturing, energy, healthcare and public health, and transportation systems. In February 2022, the National Institute of Standards and Technology (NIST) developed a framework for managing ransomware risk, which can be used by organizations to identify and prioritize opportunities for improving security and resilience against ransomware attacks. What is unclear is the extent to which the security practices recommended by NIST to combat ransomware have been implemented across critical infrastructure sectors.

GAO conducted a study to assess federal agency efforts to oversee sector adoption of leading federal practices and evaluate federal agency efforts to assess ransomware risks and the effectiveness of the support they have provided. GAO analyzed documentation related to reporting, risk analysis, and mitigation strategies and compared those efforts to NIST guidance on cybersecurity specific to ransomware. GAO found that the assessed Sector Risk Management Agencies (SRMAs) do not have reliable data on the extent to which the NIST recommendations have been implemented, and until such time that they have that knowledge, the White House’s goal of improving critical infrastructure’s resilience to withstand ransomware threats will be more difficult to achieve.

Most of the SRMAs assessed by GAO had already assessed or plan to assess the risks of cybersecurity threats such as ransomware for their respective sectors, as required by law, but only half of the agencies had evaluated aspects of the support they provided in their respective sectors and none had fully assessed the effectiveness of that support. GAO has made 11 recommendations to the Department of Energy (DoE), Department of Health and Human Services (HHS), Department of Homeland Security (DHS), and Department of Transportation (DoT). GAO recommended the Secretaries of the DoE, HHS, DHS, and DoT should coordinate with the Cybersecurity and Infrastructure Security Agency (CISA) and determine the extent to which their sectors are adopting leading cybersecurity practices to combat ransomware. They should also develop and implement routine evaluation procedures that measure the effectiveness of federal support in helping reduce the risk of ransomware in their respective sectors.

The HHS agreed with the recommendations and believes that it has already met one of the recommendations, as it conducted an initial evaluation of the sector’s adoption of cybersecurity practices through prior efforts, such as its April 2023 Hospital Resiliency Landscape Analysis study to measure the adoption of recommended cybersecurity practices in hospitals, and it has developed a Risk Identification and Site Criticality Toolkit. GEO recognized the steps that have already been taken but said the HHS is not yet tracking the sector’s adoption of specific practices that reduce ransomware risk, therefore its recommendations still stand.

The post GAO: Federal Agencies Need to Enhance Oversight of Ransomware Practices appeared first on HIPAA Journal.