Read the latest blog posts by CynergisTek’s team of experts related to healthcare security, privacy and compliance. Have a topic that you would like us to cover? Email us to tell us what you are interested in.
2017 will go down as a change year for Health Insurance Portability and Accountability Act (HIPAA) enforcement of the Privacy, Security, and Breach Notification Rules. This comes on the heels of 2016, which saw an unprecedented level of enforcement actions, with 13 total settlements and nearly a 300% increase in total collected fines over 2015. In 2017, nine compliance reviews were settled with resolution agreements in addition to a HIPAA enforcement action in which a civil monetary penalty was levied. A total of $19.4 million in fines and penalties were collected in 2017 by OCR through its enforcement actions.
Monitoring and auditing of access to protected health information by many organizations is prompted by patient complaints or some other event triggering the need to conduct an investigation. This is reactive or for-cause access monitoring and auditing which is necessary but organizations should also be doing proactive, not-for-cause auditing and monitoring. Under HIPAA Security Rule, covered entities and business associates have an obligation to have policies and procedures in place to prevent, detect, contain and correct security violations. 45 CFR 164.308(a)(1)(i).
Healthcare organizations are more vulnerable to phishing attacks as the average maturity of security controls and training is less than that of other industries, such as banking. Successful phishing attacks rely heavily on emails with either spoofed or similar-looking domain names. Emails originating outside of an organization’s domain but with similar domains can be flagged as an external email to alert the end-user. Unfortunately, emails with spoofed domains require technical controls to identify and divert to a spam folder.
It’s likely that you’ve already heard about KRACK in the last few days. KRACK is a new and somewhat alarming vulnerability recently disclosed in the Wi-Fi Protected Access 2 (WPA2) wireless networking standard. As has been the case for many recently discovered vulnerabilities, the party that discovered this branded it, and the media then latched on and made a bigger deal out of it than they probably should.
The NotPetya attack in late June 2017 spotlighted a new attack vector that has been successful in attacking specific domains. In the summer NotPetya Ransomware attack, the attackers successfully penetrated a major software vendor and inserted the malicious code directly into a legitimate software update. The software vendor was the major supplier of financial software to many businesses in one country (Ukraine). This could be pure coincidence, or it could be an indicator that rogue actors are starting to exploit weaknesses in the supply chain.
Security of an organization’s printers and multi-function devices, as well as the data on those devices, is handled by the IT department, right? While this might be true, compliance and privacy officials should care about what is happening with these devices. It is not uncommon for these devices to have significant data storage capacities, as much as 320 GB. Imagine how many records such a device could hold, as well as the fact healthcare organization will have hundreds if not thousands such devices. Think about what gets printed in a busy clinical area or by the staff in finance or patient quality. These business units often work with large files that include the information of hundreds if not thousands of individuals. Has anyone at the organization ever evaluated the volume of records that get printed by the staff in one of these areas?
It has been almost two years since I started this incredible journey at CynergisTek and in healthcare. In that time, what I have found to be the most impressive is the amount of ongoing and constant change. Particularly, I have seen how security has changed in healthcare IT over the past few years and how as an industry we are responding to it to improve our ability to protect patient information.
The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) released preliminary results from Phase 2 of the HIPAA Audit Program. The data was drawn from limited scope desk audits of 166 covered entities (CE) in July 2016. OCR rated their compliance with the HIPAA Privacy, Security and Breach Notification standards as largely “inadequate,” with over 94% of the covered entities failing to demonstrate appropriate risk management plans.
In the classic movie Groundhog Day, the main character played by Bill Murray finds himself trapped reliving the exact same day over and over again. In the film, he eventually decides to make the day better, to right as many wrongs as possible eventually leading him to escape the loop. In a similar fashion, information security in general has been stuck in a Groundhog Day type of loop for at least a couple of decades, and unless we can make some changes we can expect more futility as we fight the uphill battle of information security.
Having a solid security plan is extremely important to build an effective information management program. The security plan should also include a separate disaster recovery plan for the unfortunate event of an incident. I recently sat down with Mac McMillan, Chief Strategy Officer and President of CynergisTek to discuss the differences between having a security plan and having a disaster recovery plan, as well as the current state of security.