Background on Incident Response During Coronavirus Pandemic The coronavirus pandemic has pushed many healthcare organizations to allow an increased number to shift to a remote workforce environment. For many of these individuals this is a new concept. The employees working remotely during coronavirus are likely non-clinical staff including back-office operations such as patient accounting, procurement, and the information technology staff. This upending of normal operations was necessary to limit the rate of community spread by reducing personal contact. Unfortunately,
New Vulnerabilities Recently Discovered in Bluetooth ® Paring Specifications Vulnerability Overview Hospitals and other providers rely heavily on Bluetooth® connections for not only the ubiquitous phone headsets and keyboard, but Bluetooth® is a major technology supporting connected medical devices. Bluetooth® Low Energy also supports location tracking with much higher accuracy than the traditional Radio Frequency IDentication (RFID). Researchers at the Israel Institute of Technology recently identified two security vulnerabilities that may be present within the healthcare community. The two
Would You Like a Wake-Up Call? Looking back, the December 2016 Food and Drug Administration’s Pre-Market and Post-Market Cybersecurity Management Guidance captured the attention of many medical device manufacturers. Since then, we have seen the manufacturers increase the pace of their security vulnerability alerts rise by 400 percent per quarter. More importantly, the number of critical vulnerabilities reported before and after the FDA report jumped from over 550 percent when measured as a percentage of total reports. So why
Public Health In 2014 and 2015, the world faced a major health crisis when individuals throughout the world were being exposed to the Ebola virus. Because of the highly contagious nature of the virus, public health officials were concerned that the outbreak could quickly turn into a pandemic. When the outbreak was first discovered, there was no vaccine, and an estimated 50% of the patients perished the following exposure. Fortunately, healthcare professionals were able to save many and started
The NotPetya attack in late June 2017 spotlighted a new attack vector that has been successful in attacking specific domains. In the summer NotPetya Ransomware attack, the attackers successfully penetrated a major software vendor and inserted the malicious code directly into a legitimate software update. The software vendor was the major supplier of financial software to many businesses in one country (Ukraine). This could be pure coincidence, or it could be an indicator that rogue actors are starting to exploit weaknesses in the supply chain.
Hospital administrators are reporting challenges in hiring and retaining cybersecurity professionals needed to mitigate the new cyber threats. The issue is getting broad attention outside of healthcare, including a National Public Radio’s All Things Considered aired a segment addressing the issue on July 26, 2017. This is due in part to reports that there are over one million open security positions that can’t be filled. The challenges are real, but they can be managed when properly framed.
If one lesson is clear from the constant stream of recent settlements announced by the Office for Civil Rights, it is that covered entities are not implementing risk management plans to reduce risks to protected health information (PHI) to an acceptable and appropriate level. The frequency of seeing the same finding is a strong indicator of a more systemic issue – that organizations could use more detailed guidance on how to manage risks.
SMS Two-Factor Authentication Is No Longer Approved By NIST This week the National Institute of Standards and Technology (NIST) released new guidance regarding SMS two-factor authentication (2FA) in its latest draft of the Digital Authentication Guideline. According to the draft, NIST says, “[out of band authentication] using SMS is deprecated, and will no longer be allowed in future releases of this guidance.” The draft guidance from NIST doesn’t go into too much detail as to why this method has been