Florida Senator Urges FBI to Prioritize Investigation of Tampa General Hospital Cyberattack

Posted by Steve Alder

Senator Rick Scott (R-FL) has written to FBI Director Christopher Wray requesting the law enforcement agency prioritize the investigation of a major cyberattack on Tampa General Hospital (TGH) that involved the medical records of more than 1.2 million people and bring the perpetrators behind the cyberattack to justice.

The attack in question was discovered by TGH administrators on May 31, 2023, with the forensic investigation determining that hackers had access to its network for 18 days, having gained initial access to its network on May 12, 2023. The attackers attempted to encrypt files; however, TGH was able to prevent encryption but could not prevent the exposure of patient data. The compromised systems contained names, addresses, dates of birth, Social Security numbers, medical record numbers, health insurance information, and more.

While the cyberattack is significant due to the amount of exposed data, it is far from the only such attack on a U.S. healthcare provider in recent years. Senator Scott cites a ransomware attack on Scripps Health in California in 2021 in which hackers stole 150,000 patient records, the attack on CommonSpirit Health in 2022 that affected many critical healthcare services across the United States, and the attack on St. Margaret’s Health in Illinois which disrupted the hospital’s billing systems and contributed to the permanent closure of the hospital. In addition to causing financial harm to healthcare providers and threatening patient safety, the data stolen in these attacks can be used for further criminal activity causing financial harm to patients.

If the threat actors behind these attacks are not identified, arrested, and prosecuted, they will continue to conduct attacks that threaten patient safety, cause considerable financial harm, and it is inevitable that other healthcare facilities will be forced to close. “I urge you to assign all necessary resources at your disposal to prioritize the investigation of this incident and ask that you keep my office apprised of your progress,” said Senator Scott.

Many of these attacks are conducted by threat groups operating out of China, Russia, and North Korea, which do not have extradition treaties with the United States and that makes it difficult to bring the perpetrators to justice. Senator Scott said these attacks pose a clear and present threat to critical health systems and has requested answers from Wray on the actions being taken to counter these threats, such as how the FBI is coordinating with health systems to prevent cyberattacks, what the FBI is doing to coordinate investigations of healthcare cyberattacks, whether the FBI believes that the majority of the threat actors behind these attacks are operating from outside the United States, and if so, the countries where these cyberattacks are originating.  Senator Scott also asked whether the FBI has sufficient resources to fully investigate these attacks and pursue the perpetrators and whether additional resources and authorities are needed.

The post Florida Senator Urges FBI to Prioritize Investigation of Tampa General Hospital Cyberattack appeared first on HIPAA Journal.

Health3PT Shares Best Practices for Improving Third Party Risk Management in Healthcare

Posted by Steve Alder

The Health 3rd Party Trust Initiative (Health3PT) has published the findings of a recent survey of HIPAA-covered entities and their business associates that explored the current state of third-party cyber risk management in healthcare and identified some of the key challenges faced by HIPAA-regulated entities.

Supply chain vendors and service providers introduce risks that need to be identified, managed, and reduced to a low and acceptable level; however, the methods used to manage third-party risks are often burdensome and inadequate. According to the survey, which was conducted on 59 HIPAA-covered entities and 128 business associates, significant resources and money are committed to managing third-party risk but 68% of covered entities and 79% of business associates say third-party risk management (TPRM) processes are inefficient and 60% of HIPAA-covered entities and 72% of business associates think TPRM is not effective at preventing data breaches.

55% of healthcare organizations have experienced a data breach in the past year through a third party, and 90% of the most significant healthcare data breaches in 2022 occurred at business associates of HIPAA-covered entities. The average cost of those data breaches was more than $10 million per incident. According to Health3PT, there are significant blind spots in organizations’ third-party information security management programs. These are caused by organizations and vendors handling assessments differently and, in many cases, relying on manual processes.

Many organizations lack the necessary resources to follow up on vendor risk management efforts, and while vendors provide assurances that information security controls have been implemented, they do not consistently demonstrate that appropriate controls are in place. One of the main problems is covered entities and business associates relying on outdated TPRM approaches which result in inconsistent and unclear risk management outcomes. TPRM processes at many healthcare organizations have not changed for decades and were not particularly effective even when they were introduced as they were adopted from other verticals and never properly matched the needs of healthcare organizations. These processes have also failed to maintain pace with advances in technology, such as the use of the cloud.

The biggest challenge for covered entities is keeping pace with the volume of security assessments. Due to the number of vendors used by healthcare organizations, vendor audit fatigue often sets in. Healthcare organizations are receiving a high volume of security questionnaires from vendors but they do not have the necessary IT resources to deal with the questionnaires they receive, which means third-party vendors are not properly evaluated and risks fail to be properly addressed. Other key challenges were getting vendors to address deficiencies, the turnaround time for assessments, obtaining transparent assurances from vendors to satisfy requests the first time around, and keeping up with changing threats and risks associated with vendors.

The biggest challenges for business associates were customers’ willingness to accept a validated assessment in lieu of questionnaires, handling the variability of questionnaires and audits, and the time allowed to provide quality responses and evidence to requesting customers. Covered entities and business associates both admitted to feeling overwhelmed with TPRM processes and felt current processes are effective at preventing data breaches. Covered entities and business associates both expressed a desire to improve TPRM efficiency through improved collaboration, standardization, and automation.

Third parties pose major risks to healthcare organizations and there is considerable potential for those risks to compromise privacy and patient safety. Some of the main shortcomings with TPRM are the lack of an overarching methodology for risk-tiering vendors, overreliance on verbose contract terms, inconsistent questionnaires and validation of the information collected, limited follow-ups on the resolution of identified security gaps, and limited organization-wide insight into vendor security risk.

To help address these shortcomings, Health3PT has shared best practices in its Recommended Practices & Implementation Guide which helps covered entities and business associates improve TPRM efficiency and effectiveness. “Establishing and adopting these more effective and efficient TPRM processes will transition TPRM in healthcare from a superficial check-the-box exercise that exposes organizations to unnecessary risks to more robust, collaborative information protection programs that ultimately will benefit all participants across the healthcare community,” explained Health 3PT.

The post Health3PT Shares Best Practices for Improving Third Party Risk Management in Healthcare appeared first on HIPAA Journal.