The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently released a “Spring 2019 OCR Cybersecurity Newsletter” (Spring 2019 Newsletter) The Spring 2019 Newsletter, originally issued on a monthly basis but now quarterly, is published in an effort to, “help [Health Insurance Portability and Accountably Act] (HIPAA) covered entities and business associates remain in compliance with the HIPAA Security Rule by identifying emerging and prevalent issues, and highlighting best practices to safeguard [Protected Health Information] (PHI).” It highlights two serious cybersecurity threats, Advanced Persistent Threats (APT) and Zero-Day Exploits. Though neither of these threats are new, they continue to cause many cybersecurity issues for organizations, including health care organizations.
APT attacks use the brute force of continuous attempts to find and exploit vulnerabilities in an organization’s cybersecurity system, with a goal of stealing information or disturbing the organization’s operations. OCR highlights that the individuals behind an APT attack may be looking to illegally obtain PHI to sell it, commit identity theft, or use any potential health insurance benefits associated with the information. Additionally, providers and other health care industry professionals who conduct research should be aware that the individuals behind these attacks may be looking to steal innovative research information, experimental treatment testing results, and genetic data because of the associated value of the information.
Zero-Day Exploits take advantage of already existing holes in a cybersecurity system, such as unpatched vulnerabilities in hardware, firmware, or software, to gain access to an organization’s system or disrupt the function of pieces of hardware. Hackers may discover these vulnerabilities through their own research, or they may take advantage of the time between the discovery of a vulnerability and the deployment of a suitable patch or anti-virus update by the software or hardware company. These threats are dangerous separately but can also be used together to cause devastating cybersecurity incidents.
Organizations must analyze and manage PHI threats to not only avoid data breaches, but also to comply with the HIPAA Security Rule. Therefore, organizations should take APT and Zero-Day Exploit threats into account when conducting their HIPAA risk analyses, risk management processes or general compliance risk assessments. Additionally, some ways to mitigate these risks include the following:
- Reviewing or auditing activity logs to identify suspicious or out of the ordinary activity;
- Implementing policies and procedures to handle a cybersecurity attack on the organization’s system, including educating workforce members on how best to react to a threat or suspected threat;
- Testing the organization’s contingency plans;
- Establishing back-up locations that are not connected to the rest of the network for the organization’s sensitive data;
- Encrypting data, particularly electronic-PHI, both at rest and in-motion;
- Implementing access controls, such as two-factor authentication or systems that lock out a user after too many incorrect log-in attempts, to slow down APTs;
- Testing and deploying software patches when made available;
- Establishing channels for open communication with medical device manufacturers about any vulnerabilities or software patches, since network connected medical devices containing PHI are becoming an increasing target;
- Training workforce members on cybersecurity basics and posting regular reminders about common cybersecurity threats like target phishing e-mails;
- Hiring an outside security consultant to conduct Penetration testing or other cybersecurity work; and
- Ensuring that there are open and effective communication channels between the Compliance Department, the Privacy Department and IT Department.
To learn how consultants at Strategic Management Services can evaluate or assist with your HIPAA Program, please contact Catie Heindel, JD, CHC, CHPC, CHPS (CHeindel@strategicm.com), or Alexis Rose, JD (firstname.lastname@example.org), or call 703-683-9456.Subscribe to blog