Breach Preparedness
,
Cybersecurity
,
Data Breach
OCR Outlines Steps to Avoid Falling Victim to Rising Threats
Marianne Kolbasuk McGee (HealthInfoSec) •
April 4, 2016
Federal regulators have issued new guidance urging healthcare organizations and business associates to bolster their cyberattack defenses. The advice comes after several high-profile attacks, including one targeting MedStar Health that forced the 10-hospital system to temporarily shutter many of its systems to minimize the spread of malware.
See Also: Proactive Malware Hunting
The Department of Health and Human Services' Office for Civil Rights' alert warns about the dangers posed by ransomware, nation-state attacks and emerging attacks targeting smartphones. It urges organizations to implement a series of key measures to defend against those threats.
"Recent cyberattacks on major healthcare entities have been eye-opening for some healthcare professionals and have changed many views on security for the healthcare sector," says a March 30 update from the Department of Health and Human Services' Office for Civil Rights. The latest update is part of a cyber awareness initiative that OCR launched in January. The first update focused on ransomware and tech support scams (see OCR: Cyber-Awareness Effort: Will it Have an Impact?).
In the latest alert, OCR notes, "In the past, security compliance personnel and their leadership at healthcare entities may have been more focused on issues like security breaches that involve workforce members losing unencrypted laptops or other mobile devices containing patient's protected health information. While lost or stolen devices still represent a large portion of health industry breaches, healthcare sector organizations must consider new cyber threats, as well."
Cyberattacks involving hackers targeting the databases and network systems of healthcare sector organizations "are becoming more common and sophisticated, and may be different from the privacy breaches many entities have seen previously," OCR notes.
Hospital Attacks
The latest OCR guidance was issued as MedStar Health struggled to recover from a malware attack that shut down its IT systems. As of April 3, MedStar said in a statement that it had brought its virtual private network back online, enabling physicians to remotely access MedStar clinical systems.
Although the Washington Post reported last week that the malware attack involved a request for a ransom, MedStar hasn't confirmed that account, and it has not responded to repeated inquiries from Information Security Media Group.
The attack on MedStar followed ransomware attacks that targeted Methodist Hospital in Kentucky, two California hospitals and Ottawa Hospital in Canada (see Hospital Ransomware Attacks Surge; So Now What?). Plus, Hollywood Presbyterian Medical Center in California grabbed headlines in February when it announced it paid extortionists a $17,000 bitcoin ransom to unlock its data.
In addition to those attacks, Mercy Iowa City on March 25 reported a malware attack potentially exposing information on almost 16,000 individuals. That incident was recently added to the OCR "wall of shame" website of health data breaches as affecting 500 or more individuals.
In a statement, Mercy Iowa City says that it learned of the attack on Jan. 29, when law enforcement advised it that a computer virus had potentially infected some of its systems on Jan. 26, 2016. The organization's investigation determined that some of its computers were infected by a virus designed to capture personal data. However, to date, Mercy Iowa City says it has no evidence that patient information has been used improperly.
The organization is working with law enforcement in its investigation. A Mercy Iowa City spokeswoman declined to discuss details of the attack or type of malware involved, but tells ISMG that ransomware was not part of the incident.
Disruptions to Care
OCR's new guidance notes the various ways that "cyber threats and attacks can disrupt healthcare entities' information systems and cause delays in patient care." For example, certain attacks can slow down the process of providing patients their daily medication or meals; printing patients' labels, ID badges or discharge papers; and accessing patient medical records, the alert notes. "Some attacks can affect life-saving medical devices."
In fact, security experts, as well as government agencies, including the Department of Homeland Security and Food and Drug Administration, have been warning healthcare entities for the past several years about the potential cybersecurity risks to medical devices and other healthcare equipment connected to the internet (see Security Flaws in Legacy Medical Supply Systems Spotlighted).
Ransomware Attacks
As for the recent string of ransomware attacks on hospitals, OCR notes that "hackers and ransomware tools are becoming more sophisticated." But to fend against these attacks, which involve attackers locking up databases and files with encryption, OCR suggests healthcare entities take a number of steps that are recommended by the U.S. Computer Emergency Readiness Team, including:
Performing regular backups of all critical information, keeping data on a separate device and keeping backups stored offline;
Maintaining up-to-date anti-virus software and keeping operating system and software up to date with the latest patches;
Not clicking on unsolicited web links in emails, and using caution when opening email attachments.
OCR also notes that the FBI discourages healthcare entities and business associates from paying the ransom, "as this does not guarantee files will be released."
Privacy and security expert Kate Borten, founder of consulting firm The Marblehead Group, says that the FBI's advice about not paying a ransom is well grounded, but likely unrealistic for some organizations struggling desperately to unlock their data in the wake of a ransomware attack. "While I understand the reasons behind the FBI's message, I suspect CEs and BAs who find themselves in this position are likely to pay the ransom rather than play chicken with the bad guys."
Privacy attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek, notes: "It is most important to note that the cyberattacks - whether they be ransomware, infiltration of malware or keyloggers - that permit exfiltration of data have a common denominator of an email phishing attempt that activates when a link included in the message is selected by the recipient." He says healthcare entities must "recognize that the best ways to battle this is through monitoring what is going on in your information system along with user education on how to recognize and avoid opening up emails from sources that are not recognized."
Nation-State Attacks
OCR also warns that it's not only ransomware attacks that healthcare entities and business associates need to be worried about. For example, healthcare entities may be the target of hackers in China, Russia and several countries in Eastern Europe, OCR notes. "The motivation for this type of attack varies from collecting protected health information for sale and collecting data for intelligence-building and potential espionage, to stealing intellectual property from medical technology companies."
To mitigate the risk of nation-state attacks, OCR advises covered entities and business associates to refer to advice from the FBI that includes:
Recognizing internal and external security threats to the entity's sensitive data and implementing a plan for safeguarding it;
Confining access to an entity's sensitive data to a need-to-know basis;
Providing
training to employees about its data security plan and how to avoid email attacks involving phishing;
Avoiding storing private information on any device that connects to the internet.
Smartphone Attacks
OCR also warns healthcare organizations to be on the lookout for emerging attacks targeting smartphones. "Patients, staff and third-parties of covered entities are using smartphones to interact with new healthcare applications and medical devices. Although smartphones have beneficial features, entities must ensure these devices have appropriate safeguards against cyberattacks," the guidance says.
OCR notes that the U.S. CERT advises organizations to mitigate the risks of a cyberattack on smartphones by implementing such security practices as:
Enabling the password feature on mobile phone, as well as enabling
encryption, remote wipe capabilities and antivirus software;
Checking what permissions mobile applications require. If the permission seems beyond what the application should require, do not install the application;
Setting Bluetooth-enabled devices to non-discoverable;
Avoiding using unknown Wi-Fi networks and using public Wi-Fi hotspots;
Deleting all information stored in a device prior to discarding it.
While the OCR updates include important information, OCR should consider other ways to draw more attention to the advice, Holtzman contends.
"OCR is missing an opportunity to provide meaningful assistance and updates to the healthcare sector with a monthly 'newsletter' on cybersecurity," he says. "The threats posed by cybercriminals evolve too quickly to justify this response from the front-line agency responsible for safeguarding American's health information privacy. A more effective approach would be to pass along the weekly bulletins and alerts provided by the US-CERT."
Healthcare is in the middle of a major evolution toward digital, personalized medicine and the empowered patient. Ongoing regulatory and monetary incentive programs are driving healthcare providers to increase their EHR and E-Prescribing adoption. Additionally, the U.S. Office of the National Coordinator for Health Information Technology (ONC) is focused on strengthening identity-proofing and authentication of all participants in the healthcare system: providers, staff, business associates, and patients. With many organizations including HIMSS, AHIMA and CHIME calling for a nationwide unique patient identifier with support from the National Strategy for Trusted Identities in Cyberspace's (NSTIC), Identity Ecosystem Steering Group, a trusted digital identity will likely soon be on your IT agenda.
This massive push toward digital medicine brings about numerous security and interoperability challenges, including a shift in thinking from "supposedly known users" to "secure and trusted identities." Knowing who is accessing PHI at any point in time is beyond critical to ensure security. How can the healthcare community move closer to making this leap to digital medicine without sacrificing security and confidentiality?
This exclusive webinar, sponsored by VASCO, will talk about ways your healthcare organization can create a secure bridge between the verified identity in the physical world and the online identity in the cyberspace on a state or national level. Co-hosts Michael Magrath, Director of Business Development at VASCO and a nationally recognized leader in the healthcare identity management field, and Andrew Showstead, Director of Technical Consultancy at VASCO, will discuss how your organization can deploy a unique, reusable and trusted digital patient credential that provides interoperability and links multiple players via a trust framework.
In this exclusive webinar, Magrath and Showstead will also discuss:
How to implement remote ID verification;
How to provide better patient and provider electronic authentication;
How to get simplified workflow inside healthcare facilities;
How to secure end-to-end communications between patients and providers;
How superior identity management naturally leads to improved HIPAA and HITECH compliance.
You might also be interested in …
Hands-On CyberSec Skills Needed
ISMG analysis of Bureau of Labor Statistics data