Read the latest blog posts by CynergisTek’s team of experts related to healthcare security, privacy and compliance. Have a topic that you would like us to cover? Email us to tell us what you are interested in.
It’s likely that you’ve already heard about KRACK in the last few days. KRACK is a new and somewhat alarming vulnerability recently disclosed in the Wi-Fi Protected Access 2 (WPA2) wireless networking standard. As has been the case for many recently discovered vulnerabilities, the party that discovered this branded it, and the media then latched on and made a bigger deal out of it than they probably should.
The NotPetya attack in late June 2017 spotlighted a new attack vector that has been successful in attacking specific domains. In the summer NotPetya Ransomware attack, the attackers successfully penetrated a major software vendor and inserted the malicious code directly into a legitimate software update. The software vendor was the major supplier of financial software to many businesses in one country (Ukraine). This could be pure coincidence, or it could be an indicator that rogue actors are starting to exploit weaknesses in the supply chain.
Security of an organization’s printers and multi-function devices, as well as the data on those devices, is handled by the IT department, right? While this might be true, compliance and privacy officials should care about what is happening with these devices. It is not uncommon for these devices to have significant data storage capacities, as much as 320 GB. Imagine how many records such a device could hold, as well as the fact healthcare organization will have hundreds if not thousands such devices. Think about what gets printed in a busy clinical area or by the staff in finance or patient quality. These business units often work with large files that include the information of hundreds if not thousands of individuals. Has anyone at the organization ever evaluated the volume of records that get printed by the staff in one of these areas?
It has been almost two years since I started this incredible journey at CynergisTek and in healthcare. In that time, what I have found to be the most impressive is the amount of ongoing and constant change. Particularly, I have seen how security has changed in healthcare IT over the past few years and how as an industry we are responding to it to improve our ability to protect patient information.
The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) released preliminary results from Phase 2 of the HIPAA Audit Program. The data was drawn from limited scope desk audits of 166 covered entities (CE) in July 2016. OCR rated their compliance with the HIPAA Privacy, Security and Breach Notification standards as largely “inadequate,” with over 94% of the covered entities failing to demonstrate appropriate risk management plans.
In the classic movie Groundhog Day, the main character played by Bill Murray finds himself trapped reliving the exact same day over and over again. In the film, he eventually decides to make the day better, to right as many wrongs as possible eventually leading him to escape the loop. In a similar fashion, information security in general has been stuck in a Groundhog Day type of loop for at least a couple of decades, and unless we can make some changes we can expect more futility as we fight the uphill battle of information security.
Having a solid security plan is extremely important to build an effective information management program. The security plan should also include a separate disaster recovery plan for the unfortunate event of an incident. I recently sat down with Mac McMillan, Chief Strategy Officer and President of CynergisTek to discuss the differences between having a security plan and having a disaster recovery plan, as well as the current state of security.
There is consensus agreement that threats that exploit vulnerabilities in the health care cyberinfrastructure grow and evolve at a breakneck pace. Organizations that take a holistic view in developing a flexible approach to understand, manage and reduce its cybersecurity risk, will be in a better position to defend their enterprise from attack.
The increase of ransomware attacks on healthcare entities and their business associates continues to be a significant concern. While covered entities (CE) have their own issues to deal with when the attack is directly against the organization, there are additional considerations if the attack is on a business associate (BA). This issue was recently raised when there was a reported attack against a BA used by several healthcare entities. The attack was made public, which means the CEs that used the business associate were on notice of the attack.