CISA Publishes Healthcare-Specific Guidance for Improving Cyber Resilience

Posted by Steve Alder

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published healthcare sector-specific guidance on enhancing cyber resilience. The guidance is based on the findings from a two-week risk and vulnerability assessment that was performed in January 2023 at the request of a large healthcare organization that was looking to identify vulnerabilities and potential security improvements.

CISA spent the first week conducting external penetration tests to identify weaknesses that could be exploited, and a week analyzing the internal network, with its assessments including web applications, databases, wireless access points, penetration tests, and phishing testing. The unnamed organization was found to have secured its network sufficiently to prevent external attacks. CISA was unable to find any vulnerabilities that could be easily exploited by malicious actors and was unable to gain access through phishing; however, several weaknesses were identified during internal penetration tests. CISA was able to exploit misconfigurations, weak passwords, and other security issues through multiple attack paths and compromise the organization’s domain.

The penetration and web application testing uncovered no vulnerabilities that could easily be exploited and payloads used in the phishing tests were blocked by a combination of browser controls, security policies, and antivirus software. While some of the payloads were downloaded to disk, they were immediately neutralized by the antivirus software when executed, and while some payloads appeared to have evaded internal protections, they failed to make a connection with their C2 servers.

Phishing tests were also performed on end users in an attempt to harvest credentials. 12 individuals responded to the phishing attempts and disclosed their credentials, but they could not be used as those individuals only had limited access to external-facing resources, and multi-factor authentication had been implemented for cloud accounts. CISA notes that its assessments did not include adversary-in-the-middle attacks using phishing kits such as Evilginx, which can bypass multifactor authentication. CISA recommends using phishing-resistant multifactor authentication to block attacks involving these advanced phishing kits.

The internal penetration tests started with a connection to the network without a valid domain account and attempted to gain domain user access and then escalate privileges until the domain was compromised. The organization’s domain was compromised using four attack paths, and in the fifth attack path, CISA was able to access sensitive information. CISA was able to obtain 55 password hashes, one of which was for a service account that had a weak password that was easily cracked to obtain access to the organization’s domain.

The web application tests identified default credentials in multiple web applications that had not been changed, as well as default printer credentials, along with misconfigurations that allowed CISA to authenticate to the domain controller and validate administrator privileges. CISA used the CrackMapExec tool to spray easily guessable passwords and obtained two sets of valid credentials for standard domain user accounts and demonstrated a path leading to domain compromise. CISA also demonstrated that several systems on the network did not enforce SMB signing, and exploited the misconfiguration to obtain credentials for two additional domain administrator accounts, which were validated confirming a domain compromise.

The fifth attack path involved vulnerability scanning, which identified an unpatched EternalBlue vulnerability in SMB version 1. CISA used a well-known exploit for the vulnerability to establish a shell on the server which allowed commands to be executed in the context of the local SYSTEM account. CISA also identified multiple instances of password reuse, which allowed access to be gained to several resources that contained sensitive information.

The methods and tools used by CISA in its assessments are commonly used by hackers for post-compromise activities. If initial access was gained, the internal vulnerabilities could have been exploited to achieve a full domain compromise. The key findings of the assessments have been published in a cybersecurity advisory – Enhancing Cyber Resilience: Insights from the CISA Healthcare and Public Health Sector Risk and Vulnerability Assessment – along with recommended mitigations for addressing the vulnerabilities, which are likely to exist in many healthcare organizations. The guidance can also be applied by software companies and organizations in other critical infrastructure sectors.

The post CISA Publishes Healthcare-Specific Guidance for Improving Cyber Resilience appeared first on HIPAA Journal.

Delta Dental of California Data Breach: 7 Million Individuals Affected

Posted by Steve Alder

Delta Dental of California Says 6,928,932 Individuals Affected by MOVEit Hack

Delta Dental of California has recently confirmed that it was one of the victims of Clop hacking group’s mass exploitation of a zero-day vulnerability in Progress Software’s MOVEit Transfer solution.  Delta Dental of California, part of the Delta Dental Plans Association, provides dental insurance to 45 million people. According to the breach notification sent to the Maine Attorney General, the information of almost 7 million individuals was stolen in the attack, including members of Delta Dental of California plans and those of its affiliates.

Delta Dental discovered on June 1, 2023, that the SQL injection vulnerability – CVE-2023-34362 – in the MOVEit Transfer solution had been exploited. Progress Software had released an emergency patch to fix the flaw on May 31, 2023; however, the Russia-linked Clop group exploited the flaw between May 27 and May 30, 2023, before the patch was applied and exfiltrated data from Delta Dental’s MOVEit server.

On July 6, 2023, Delta Dental confirmed that plan members’ data had been accessed and acquired without authorization, and third-party computer forensics experts were engaged to help with analytics and data mining to determine exactly what data had been stolen. Due to the extent of the data involved, the analysis has only just been completed, with the final list of the affected individuals and types of data involved finalized on November 27, 2023. Notification letters started to be sent to those individuals on December 14, 2023.

Delta Dental said the stolen data includes names in combination with one or more of the following: address, Social Security number, driver’s license number, other state identification number, passport number, financial account information, tax identification number, individual health insurance policy number, and/or health information. The affected individuals have been offered 24 months of complimentary credit monitoring and identity theft protection services.

Delta Dental stressed in its notification letters that this was a mass exploitation incident that affected thousands of companies; however, the Delta Dental of California data breach stands out due to the number of individuals affected. With 6,928,932 dental plan members affected, this is the third largest healthcare MOVEit-related breach to have been reported, behind Maximus Inc. (11 million) and Welltok (8.5 million).

The HIPAA Breach Notification Rule requires notification letters to be issued within 60 days of the discovery of a breach. The Delta Dental of California data breach was reported to the HHS’ Office for Civil Rights on September 6, 2023, within 60 days of discovering that PHI was involved. It was unclear at the time how many individuals were affected so an interim figure of 501 was used. “The delay between detecting the incident, responding to it, and identifying what data has been accessed and by whom, along with which individuals are impacted is not surprising. To determine this typically relies on specialist digital forensic and incident response providers who need to forensically comb through logs and individual data objects using a combination of forensic tools and deep cybersecurity expertise to piece together what happened down to the individual data objects,” Claude Mandy, Chief Evangelist, Data Security at Symmetry Systems, told The HIPAA Journal. “Modern data security tools can speed up the identification of what data is impacted, particularly at scale, so hopefully we will see these timeframes reduce as these tools get adopted. However, it will still take time to map those data objects to the individuals impacted at scale with forensic quality that can stand up in court.”

The post Delta Dental of California Data Breach: 7 Million Individuals Affected appeared first on HIPAA Journal.

What is SOC 2 in Healthcare?

Posted by Steve Alder

SOC 2 in healthcare is a privacy and security standard that can provide assurances to the C-Suite, to business partners, and to regulators that an organization has implemented appropriate controls to protect data (SOC 2 Type 1) and is using the controls effectively (SOC 2 Type 2). SOC 2 compliance in healthcare is voluntary, but the benefits of being SOC 2 “ready” can be significant.

What is SOC 2?

SOC 2 stands for System and Organization Controls 2 – one of five sets of standards organizations can use to assess that their privacy, security, and/or administrative processes are adequate to ensure the confidentiality, integrity, and availability of data. In healthcare, SOC 2 is the most relevant of the five sets of standards because SOC 2 controls closely align with the requirements of HIPAA.

Healthcare organizations that have implemented policies and procedures to comply with HIPAA should have little difficulty in attesting SOC 2 compliance and passing an SOC 2 audit. The audit report can then be used to demonstrate that the appropriate controls are in place to protect the privacy and security of healthcare data (Type 1) and that they are being used effectively (Type 2).

The SOC 2 Process

The SOC 2 process consists of determining what “Trust Services Criteria”, what “Control Components”, and what “Points of Focus” within each Control Component apply to your organization. These can then be compiled into an SOC 2 compliance checklist which can be used to assess “point of time” compliance or “ongoing” compliance with the relevant controls.

Once the assessment is complete, you attest that the organization is SOC 2 compliant. To verify the attestation via an audit report, you arrange for an SOC 2 audit conducted by a firm commissioned or certified by the American Institute of Certified Public Accountants (AICPA). Depending on the “Type” of attestation being certified, the audit can take one day (Type 1) or several months (Type 2).

The SOC 2 Controls

The SOC 2 controls consist of  five Trust Services Criteria, within which there can be multiple Control Components and Points of Focus that can be relevant to an organization’s operations. Because different organizations assess themselves on different Criteria, Components, and Points of Focus, there is considerable overlapping of Points of Focus between the five Trust Services Criteria.

Security

Of the five Trust Services Criteria, this is the only one required in an SOC 2 assessment. Its objective is to demonstrate that an organization’s systems and the data stored on them are protected against physical damage, unauthorized access, and unauthorized disclosure. Within the Security Trust Services Criteria there are nine Control Components, each with multiple Points of Focus.

  • CC1: Control Environment
  • CC2: Communication and Information
  • CC3: Risk Assessment
  • CC4: Monitoring Activities
  • CC5: Control Activities
  • CC6: Logical and Physical Access Controls
  • CC7: System Operations
  • CC8: Change Management
  • CC9: Risk Mitigation

Each Point of Focus is required to have at least two control activities so that if one control activity fails, the Point of Focus is still supported by at least one other control activity. For example, a logical access control with two control activities would be a username and password combination supported by two factor authentication.

Availability

For organizations pursuing SOC 2 in healthcare, compliance with the Availability Trust Services Criteria requires little more than compliance with the Administrative Safeguards of the Security Rule (§164.308) relating to data backups, environmental controls to safeguard physical backups, data recovery controls and ensuring that systems have the capacity to manage demand.

Confidentiality

The objective of the Confidentiality Trust Services Criteria is to ensure that PHI maintained in healthcare systems is protected. Omitting overlapping and duplicated Points of Focus, the four most relevant to healthcare organizations relate to data classification and retention, the protection of sensitive information, the encryption of data, and the disposal of data.

Processing Integrity

Although this Trust Services Criteria has been amended to align with the EU-US Data Privacy Framework and the EU’s General Data Protection Regulation, the requirement to ensure data processing is complete, valid, accurate, timely, and authorized aligns with HIPAA’s Technical Safeguards for the integrity of PHI so is worth reviewing.

Privacy

The Privacy Control Components and Points of Focus closely align with HIPAA Privacy Rule standards relating to privacy policies, privacy management, and breach notification. It is not necessary for organizations to comply with the Privacy Trust Services Criteria to achieve SOC 2 in healthcare, but it would be unusual for it to be omitted from the point of view of a business partner or a regulator.

SOC 2 and HIPAA

From the examples provided above, it is easy to see a close relationship between SOC 2 and HIPAA security standards. However, when you review the Control Components and Points of Focus of the privacy Trust Services Criteria, there is an equally close relationship between SOC 2 and HIPAA privacy standards – particularly in the Privacy Management Framework Control Component.

In the context of SOC 2 in healthcare, the contents of the Privacy Management Framework include (but are not limited to):

  • Policies and procedures for the creation, collection, use and transmission of PHI.
  • Risk analyses for identifying, classifying, and prioritizing vulnerabilities and risks to PHI.
  • Procedures to obtain individuals’ authorizations for uses and disclosures when necessary.
  • Procedures to prevent, detect, and mitigate the consequences of data breaches.
  • Procedures to notify individuals and the relevant authorities in the event of a data breach.
  • The provision of a Notice of Privacy Practices and procedures to notify individuals of changes.
  • Procedures for responding to access requests and requests for copies of PHI.
  • Procedures for amending PHI when requested and informing third parties when necessary.
  • Procedures for maintaining and providing on request an accounting of disclosures.
  • Procedures for receiving, addressing, resolving, and communicating the resolution of inquiries, complaints, and disputes from individuals.

The Benefits of SOC 2 in Healthcare

The benefits of SOC 2 in healthcare vary depending on what an organization is trying to achieve by going through the SOC 2 process. For example, a business associate may need to prove it has measures in place to protect the privacy and security of PHI before entering into a Business Associate Agreement with a covered entity. In such cases, it may only be necessary for the business associate to demonstrate SOC 2 Type 1 compliance.

Alternatively, a healthcare organization may wish to demonstrate that it complies with SOC 2 Type 2 to qualify for reduced cybersecurity insurance rates, or it may pursue an SOC 2 in healthcare audit report to demonstrate compliance with a recognized security framework. Being able to demonstrate at least one years’ compliance with a recognized security framework could help mitigate regulatory penalties for violations of HIPAA.

Even if no direct motive exists for pursuing SOC 2 in healthcare, the process of determining what Trust Services Criteria, Control Components, and Points of Focus apply can help organizations identify and address potential privacy and security risks to increase their compliance posture. It is important to be aware there are no passes or fails in a SOC2 audit. The auditor compiling the SOC 2 audit report only records a “qualified opinion”.

SOC 2 Certification vs. SOC 2 “Ready”

Because organizations can select which Trust Services Criteria, Control Components, and Points of Focus they wish to include in an SOC 2 attestation, there is no such thing as an SOC 2 certification. The term “certification” usually refers to an SOC 2 audit report which – as discussed above – does not have passes or fails. A more appropriate term  to use is SOC 2 “ready” which, in the context of SOC 2 in healthcare, means being ready for an SOC 2 audit.

Being SOC 2 ready is the ideal state for a healthcare organization to aim for and maintain because, even if the organization does not undergo an SOC 2 audit, it implies the healthcare organization is complying with HIPAA. If your organization requires help with identifying which Trust Services Criteria, Control Components, and Points of Focus apply, or requires advice about how to become SOC 2 ready, it is recommended you speak with an SOC 2 compliance professional.

The post What is SOC 2 in Healthcare? appeared first on HIPAA Journal.

How Often is OSHA Bloodborne Pathogens Training Required?

Posted by Steve Alder

OSHA bloodborne pathogens training is required prior to an employee being assigned a task in which there may be occupational exposure to blood or another potentially infectious material. Thereafter, training is required at least annually and whenever there is a material change that affects the employee’s potential exposure.

Like many standards in Subpart Z of the OSHA standards (Toxic and Hazardous Substances), the OSHA bloodborne pathogens standard is extremely comprehensive. The standard (§1910.1030) covers every type of engineering control to mitigate the threat of an employee acquiring an infection from contact with blood, other bodily fluids (including saliva), human tissues, or medical equipment.

How to Comply with the Bloodborne Pathogens Standard

To comply with the bloodborne pathogens standard, employers must compile a list of all job classifications in which some or all employees potentially have occupational exposure to bloodborne pathogens. They must also list all tasks and procedures in those job classifications, and develop engineering controls and work practices to eliminate or mitigate employee exposure.

The engineering controls should include hand washing/skin flushing facilities, sharps disposal units, and personal protective equipment (i.e., gloves) where considered necessary. The standard also requires employers to prohibit eating, drinking, smoking, applying cosmetics or lip balm, and handling contact lenses in work areas where there is a likelihood of occupational exposure.

Further requirements of the bloodborne pathogens standard include repairing or replacing damaged equipment, washing or disposing of personal protective equipment, and housekeeping controls to ensure spills, splashes, and spattering of hazardous substances are immediately contained and cleaned up by members of the workforce who have received OSHA bloodborne pathogen training.

What does OSHA Bloodborne Pathogens Training Consist Of?

OSHA bloodborne pathogens training consists of training members of the workforce on the epidemiology and symptoms of bloodborne diseases and how they are transmitted from patient to provider. Thereafter, training must include information about the engineering controls and work practices developed by the employee to comply with OSHA. For example:

  • Perform tasks and procedures safely
  • Isolate or remove potential hazards
  • Use sharps disposal containers
  • Use cleaning and disinfecting equipment
  • Correctly apply gloves, masks, and eye protection
  • Properly wash off or flush contact with fluids
  • Safely handle and dispose of bloodborne pathogens
  • Report a spill, splash, or spatter
  • Clean a spill, splash, or spatter.

There may be additional training requirements depending on the manner in which members of the workforce are exposed to infectious materials. For example, if a task includes patient handling, ergonomics training must be provided under the OSHA General Duty clause to mitigate the risks of musculoskeletal disorders and other physical injuries.

How Often is OSHA Bloodborne Pathogens Training Required?

OSHA bloodborne pathogens training is required prior to an employee being assigned a task in which there may be occupational exposure to blood or another potentially infectious material. Subject to state-approved OSHA Plans with more stringent requirements, refresher training is required at least annually or whenever there is a material change that affects employees’ potential exposure.

With regards to material changes, OSHA bloodborne pathogens training must be provided even if the procedure for carrying out a task is modified or if the coding of a hazard is amended. Training must also be provided when a member of the workforce progresses from (for example) handling non-infectious human pathogens to handling infectious human pathogens.

With regards to the provision of OSHA bloodborne pathogens training when training of a similar nature has already been provided, it is important to note OSHA has stated employees must receive OSHA bloodborne pathogens training regardless of prior education or training, but the standard allows employers to tailor training to each employee’s background and responsibilities.

If after reviewing the standard, you have questions about OSHA bloodborne pathogen training or how often it is required, you should seek professional compliance advice.

Related Content

OSHA Violation Cases in Healthcare

What is OSHA Certification?

What does OSHA Stand for in Medical Terms?

OSHA and HIPAA Compliance

OSHA Compliance for Dental Offices

The post How Often is OSHA Bloodborne Pathogens Training Required? appeared first on HIPAA Journal.