The CynergisTek Blog

On the Ides of March, or very close to it on March 7th, I will take the HIMSS 2018 stage with Chuck Kesler, CISO of Duke Health, talking to our fellow healthcare IT professionals

A Growing Problem for Healthcare Organizations The opioid crisis and drug addiction are not just among criminals. The issue is growing among all segments of the population including healthcare workers. This is a multi-faceted

In order to explore the likely cybersecurity trends coming our way in 2018, we must first take a quick look back at 2017. Last year was a banner year in about as many ways

2017 was an active year for healthcare IT professionals. 78% of healthcare providers experienced a ransomware or malware attack, and many of these attacks reinforced the fact that an attack can send an organization

2017 will go down as a change year for Health Insurance Portability and Accountability Act (HIPAA) enforcement of the Privacy, Security, and Breach Notification Rules. This comes on the heels of 2016, which saw an unprecedented level of enforcement actions, with 13 total settlements and nearly a 300% increase in total collected fines over 2015. In 2017, nine compliance reviews were settled with resolution agreements in addition to a HIPAA enforcement action in which a civil monetary penalty was levied. A total of $19.4 million in fines and penalties were collected in 2017 by OCR through its enforcement actions.

Monitoring and auditing of access to protected health information by many organizations is prompted by patient complaints or some other event triggering the need to conduct an investigation. This is reactive or for-cause access monitoring and auditing which is necessary but organizations should also be doing proactive, not-for-cause auditing and monitoring. Under HIPAA Security Rule, covered entities and business associates have an obligation to have policies and procedures in place to prevent, detect, contain and correct security violations. 45 CFR 164.308(a)(1)(i).

Healthcare organizations are more vulnerable to phishing attacks as the average maturity of security controls and training is less than that of other industries, such as banking. Successful phishing attacks rely heavily on emails with either spoofed or similar-looking domain names. Emails originating outside of an organization’s domain but with similar domains can be flagged as an external email to alert the end-user. Unfortunately, emails with spoofed domains require technical controls to identify and divert to a spam folder.

It’s likely that you’ve already heard about KRACK in the last few days. KRACK is a new and somewhat alarming vulnerability recently disclosed in the Wi-Fi Protected Access 2 (WPA2) wireless networking standard. As has been the case for many recently discovered vulnerabilities, the party that discovered this branded it, and the media then latched on and made a bigger deal out of it than they probably should.

The NotPetya attack in late June 2017 spotlighted a new attack vector that has been successful in attacking specific domains. In the summer NotPetya Ransomware attack, the attackers successfully penetrated a major software vendor and inserted the malicious code directly into a legitimate software update. The software vendor was the major supplier of financial software to many businesses in one country (Ukraine). This could be pure coincidence, or it could be an indicator that rogue actors are starting to exploit weaknesses in the supply chain.

Security of an organization’s printers and multi-function devices, as well as the data on those devices, is handled by the IT department, right? While this might be true, compliance and privacy officials should care about what is happening with these devices. It is not uncommon for these devices to have significant data storage capacities, as much as 320 GB. Imagine how many records such a device could hold, as well as the fact healthcare organization will have hundreds if not thousands such devices. Think about what gets printed in a busy clinical area or by the staff in finance or patient quality. These business units often work with large files that include the information of hundreds if not thousands of individuals. Has anyone at the organization ever evaluated the volume of records that get printed by the staff in one of these areas?