Read the latest blog posts by CynergisTek’s team of experts related to healthcare security, privacy and compliance. Have a topic that you would like us to cover? Email us to tell us what you are interested in.
WannaCry, Petya, NotPetya—recent news reports have been filled with coverage of massive ransomware attacks that swept across the globe, wreaking havoc on public utilities, companies, health systems and government offices. Ransomware is a type of malware that prevents or limits access to a system until a ransom is paid. In the face of these attacks and other emerging cybersecurity threats, what can healthcare organizations do to identify vulnerabilities and protect sensitive patient data?
There is no shortage of professionals and experts talking about security, but if you want to understand security, or even just IT in general, you have to understand human beings. The users and those that administer the systems are all people. If one strives to understand and impact security overall, they must fully understand the human condition.
Airway Oxygen reported the largest ransomware attack to date to OCR’s wall of shame on June 16th, 2017. It affected 500,000 individuals, making it the second largest breach so far in 2017. I believe there are several takeaways from this incident that the industry show know about.
In the United States, we got lucky, very lucky, that a malware researcher known only as @MalwareTechBlog on Twitter found the “kill switch” domain in the code of the WannaCry ransomware. Had he not found and purchased this domain, effectively neutering the ransomware, I believe that the incident could have been much worse. It was already quite bad around the world with estimates of over 200,000 systems infected including many healthcare providers in the United Kingdom.
Recently, incidents involving the internet of things (IoT) have had no shortage of media coverage. In fact, I would suggest that the IoT has become one of the top buzzwords in IT right now. Large, more mature organizations have started to realize the growing attack surface that IoT is creating for the enterprise they manage, but whether large or small organizations are feeling the pressure to allow IoT on their networks even though in many cases they are not equipped to deal with it effectively. In healthcare, this is particularly troubling as IoT attacks generally cause some form of disruption which can affect both operations and patient safety.
CynergisTek is committed to creating awareness and providing education to the industry to help the industry move forward. As such, we are proud to support CHIME and help advance the role of the CIO and other senior executives in health IT. Recently, CHIME discussed the value of its Cooperative Member Services Program and how it benefited Brian Sterud, CIO at Faith Regional Health Services.
If one lesson is clear from the constant stream of recent settlements announced by the Office for Civil Rights, it is that covered entities are not implementing risk management plans to reduce risks to protected health information (PHI) to an acceptable and appropriate level. The frequency of seeing the same finding is a strong indicator of a more systemic issue – that organizations could use more detailed guidance on how to manage risks.
The Office for Civil Rights (OCR) has issued advisories that a HIPAA covered entity or business associate that is affected by the “WannaCry” ransomware attack or other malware should respond to the incident as a reportable breach under the HIPAA/HITECH Breach Notification Rule.
In your midst is a shadowy network of illicit devices poisoning the carefully controlled ecosystem you and your networking operations team have painstakingly built. Years of toiling with management to fund new initiatives, educating users to act securely, managing policies and procedures with careful and diligent precision are at risk of being rendered useless.
Thus far in 2017, the Office for Civil Rights (OCR) has announced that they have negotiated settlements or levied penalties in seven cases that have resulted in covered entities and business associates paying over $14.3 million. In all but one of these cases, organizations have also been saddled with multi-year corrective action plans in which HHS will exercise oversight of their compliance with the HIPAA standards. At this pace, OCR will eclipse its record-setting performance of 2016 in which there were 13 formal enforcement actions that had covered entities and business associates paying $23.5 million in fines and penalties for HIPAA violations.