For some time now, we’ve been blogging about increases in cybercrime as well as what you can do about it. The Workgroup for Electronic Data Interchange (WEDI) has published a cybercrime issue brief that explores some of healthcare’s common vulnerabilities typically exploited by cybercriminals today. WEDI also recommends best practices you can apply to help mitigate these vulnerabilities. It’s a worthwhile read.
[Download the PDF: The Rampant Growth of Cybercrime in Healthcare]
A few startling points and excerpts from the brief:
- “Data breaches cost the healthcare industry approximately $6.2 billion each year, with the average breach incurring damages of $2.2 million and compromising 3,128 records per incident.”
- That’s a very significant set of statistics. Despite this, “only 40 percent of healthcare organizations express concern about cyberattacks or report that their cybersecurity budget has increased in response to threats.”
The cybercrime issue brief also reviews common threats to healthcare organizations, such as spyware, malware (i.e. ransomware, rootkits and worms), “hacktivist” activity, and the latest phishing methods such as spear phishing and whaling.
Chris Apgar, CISSP is a former WEDI Board Member, a longtime member of its HIE Workgroup, and the founder of Apgar and Associates, LLC. The privacy and security compliance consulting firm helps organizations with information security risk analysis, creating risk mitigation and risk management plans, and more. For more information: 877-376-1981.
That was the title of an early January eblast to our subscribers where we talked about insider risk and audit controls. Then OCR sends out an email about a recent $5.5 million settlement with Memorial Healthcare Systems (MHS) about PHI being “impermissibly accessed” and “impermissibly disclosed” to doctors’ staff.
The email serves as an expensive yet imperative reminder of how important audit controls are to protecting PHI. MHS didn’t follow the HIPAA Security Rule’s proper access controls, didn’t address risks it had identified as part of risk analyses conducted from 2007 to 2012 and has paid the price. Unfortunately, those whose PHI was shared with far more people than necessary still lose, because the information can’t be unseen.
It begs the question: Why do so many people get access to ePHI who clearly don’t need that access? As we’ve talked about in a previous blog article, “Who has access to your healthcare data?” the insider risk is all too real.
It’s worth repeating that training won’t stop bad people from doing bad things. However, often the privacy breach is due to inadequate monitoring of health information access, especially when you’ve noted that is a risk yet have done nothing about it. Someone with no malicious intent yet had no reason to access to ePHI can wreak unintentional havoc.
6 Essentials for ePHI Access & Monitoring
- Train everyone. While it’s not a cure-all, the need for regular (at least semi-annual) privacy and security training cannot be overstated.
- Don’t hesitate to do a thorough screening of every employee who could potentially have access to or cause risk to ePHI.
- For those who will have access, be sure that their access is appropriate to their “need to know.” Maybe it’s time to get more stringent.
- Conduct regular, timely audits of PHI access logs. Many organizations audit but far too infrequently. Step it up to reduce breach risk.
- Review employee access to PHI on a regular basis to make sure someone who has left your organization no longer has access to your patients’ PHI.
- Review and possibly revise your current audit control protocols.
What are your action steps? If you’re not sure, or if you want to see if your prevention measures are where they need to be, give us a call at 877-376-1981. We’ll discuss best next steps for your ePHI protection planning.
In the interim, we suggest you download the Common Sense Guide to Mitigating Insider Threats, 4th Edition, from US-CERT (U.S. Computer Emergency Readiness Team).
All indicators are that 2017 will continue to see healthcare data come under attack as its value on the black market holds. That means that healthcare organizations can expect to remain prime targets for malicious cyberattacks.
It doesn’t help that many healthcare organizations struggle with challenges that include outdated information systems and cybersecurity gaps, as well as the fact that medical device manufacturers haven’t traditionally focused on device security. While healthcare organizations are diligently working to close gaps on their side in both in cyber and workforce, the OCIA (Office of Cyber and Infrastructure Analysis) has released a product that may help.
Healthcare & Public Health Sector Cyber dependencies
This fairly extensive product addresses everything from the sector background to cyber incidents affecting medical devices to the path forward. It’s the culmination of a collaborative effort with the Department of Homeland Security (DHS), National Protection & Programs Directorate, National Cybersecurity & Communications Integration Center, DHS Office of Intelligence & Analysis, and the HHS’s office of the Assistant Secretary for Preparedness & Response.
You can download the 13-page PDF here.
Apgar and Associates helps you with questions and concerns about your privacy and security compliance program, including updates and training, at 877-376-1981.
The Internet of Things (IoT) is leaving gaps that malicious software can exploit, bringing down extensive systems. The increasing frequency and severity of the attacks has healthcare systems and their supporting technology vendors on pins and needles.
Healthcare organizations may lose ability to access systems that are critical to patient care, in addition to affecting everyday use of patient portals. Because of dubious security in the IoT, everything from EHRs to drug infusion pumps could be taken out.
Organizations should perform scans of their networks for vulnerable IoT devices, continuously scan for compromised devices, apply security patches promptly to address known vulnerabilities and change all default passwords on every IoT device. Default passwords are easily guessed or can be found online. – HIPAA Journal
US Cert is once again the go-to reference for advice, with tips including*:
- Scanning for vulnerable IoT devices and performing risk remediation.
- Increase password strength, check username vulnerability.
- Update and stay on top of anti-virus and anti-malware, software patches.
- Get tough on the firewalls and allowed traffic.
- Segment networks for better isolation and access control.
- Monitor Port 48101 for suspicious traffic and IP ports 2323/TCP and 23/TCP for IoT control attempts.
- Double-down on security awareness, with renewed emphasis on WiFi exchanged data and remotely operated devices.
- Consider stronger email practices, including distribution of email addresses.
*We summarized the above US Cert tips, but you can see the specifics as well as information about the OCR warning here in the December 12th HIPAA Journal.
Apgar and Associates helps you on your compliance journey, including conducting a security risk analysis and creating risk mitigation and risk management plans. We’re now scheduling security risk analyses into Q2 2017. Contact us for more information at 877-376-1981.