Read the latest blog posts by CynergisTek’s team of experts related to healthcare security, privacy and compliance. Have a topic that you would like us to cover? Email us to tell us what you are interested in.
It has been almost two years since I started this incredible journey at CynergisTek and in healthcare. In that time, what I have found to be the most impressive is the amount of ongoing and constant change. Particularly, I have seen how security has changed in healthcare IT over the past few years and how as an industry we are responding to it to improve our ability to protect patient information.
The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) released preliminary results from Phase 2 of the HIPAA Audit Program. The data was drawn from limited scope desk audits of 166 covered entities (CE) in July 2016. OCR rated their compliance with the HIPAA Privacy, Security and Breach Notification standards as largely “inadequate,” with over 94% of the covered entities failing to demonstrate appropriate risk management plans.
In the classic movie Groundhog Day, the main character played by Bill Murray finds himself trapped reliving the exact same day over and over again. In the film, he eventually decides to make the day better, to right as many wrongs as possible eventually leading him to escape the loop. In a similar fashion, information security in general has been stuck in a Groundhog Day type of loop for at least a couple of decades, and unless we can make some changes we can expect more futility as we fight the uphill battle of information security.
Having a solid security plan is extremely important to build an effective information management program. The security plan should also include a separate disaster recovery plan for the unfortunate event of an incident. I recently sat down with Mac McMillan, Chief Strategy Officer and President of CynergisTek to discuss the differences between having a security plan and having a disaster recovery plan, as well as the current state of security.
There is consensus agreement that threats that exploit vulnerabilities in the health care cyberinfrastructure grow and evolve at a breakneck pace. Organizations that take a holistic view in developing a flexible approach to understand, manage and reduce its cybersecurity risk, will be in a better position to defend their enterprise from attack.
The increase of ransomware attacks on healthcare entities and their business associates continues to be a significant concern. While covered entities (CE) have their own issues to deal with when the attack is directly against the organization, there are additional considerations if the attack is on a business associate (BA). This issue was recently raised when there was a reported attack against a BA used by several healthcare entities. The attack was made public, which means the CEs that used the business associate were on notice of the attack.
Petya, or NotPetya as some call it, has shown itself to either be very poorly thought out ransomware, or more likely a full on destructive malware attack thinly veiled as ransomware. In essence, a “traditional” ransomware threats will encrypt specific important file types and show the user a ransom note telling them to pay or lose their data. In the last week of June, we saw something stranger, on the surface it appeared to be a modified version of a known and fairly common ransomware variant called Petya, hence the NotPetya name. However, unlike standard ransomware, where the entire purpose of it is to make money, the ransom payment and recovery mechanisms built into this new Petya variant were very weak. It relied on a single email address (that was promptly shut down) and a single Bitcoin wallet meaning there was virtually no way for the criminals to know who had paid, or which key might be the right one to unlock the data.
Hospital administrators are reporting challenges in hiring and retaining cybersecurity professionals needed to mitigate the new cyber threats. The issue is getting broad attention outside of healthcare, including a National Public Radio’s All Things Considered aired a segment addressing the issue on July 26, 2017. This is due in part to reports that there are over one million open security positions that can’t be filled. The challenges are real, but they can be managed when properly framed.
IT and InfoSec professionals have been playing catch up with users since the beginning of time (as long as you consider the first computer the beginning of time like I do). This is at least partially caused by an all-encompassing misunderstanding that has been rarely noticed at best and certainly never been remediated.