Posts Tagged cyber

Alabama Legislature Considers State Law on Cybersecurity

Posted by on
Alabama Legislature Considers State Law on Cybersecurity

At the time of the writing of this article, Alabama is one step closer to having a law on the books related to cybersecurity. As one of only two states without a state data breach law, Alabama is considering legislation that requires certain entities, “covered entities,” to report to state agencies and affected individuals when there has been an unauthorized acquisition of “electronic, sensitive personally identifying information.”

On March 1, 2018, the Alabama Senate passed SB318, and if passed by the House and signed by the Governor, it would require “covered entities” to notify Alabama’s Attorney General, Alabama residents whose information has been compromised, and consumer credit-reporting agencies of a data breach. For health care providers covered by the Health Insurance Portability and Accountability Act (“HIPAA”), federal law already requires notification when they experience unauthorized disclosures of protected health information. In addition to HIPAA’s breach notification requirements, the new Alabama law would require reporting at the state level for healthcare providers who experience a data breach. It is important to note that the term “covered entities” in the proposed legislation is much broader and applies to persons or business entities that acquire or use personally identifiable information.

Investigation and Reporting

Under SB318, a covered entity is required to investigate any data breach and in some instances report the breach. The investigation must include:

  1.  an assessment of the nature and scope of the breach,
  2.  identification of any sensitive personally identifying information involved and the individuals involved,
  3.  a determination as to whether the information was acquired by an unauthorized individual and could result in substantial harm, and
  4.  identify and implement measures to restore security and confidentiality of the system involved in the breach.

It is the second factor that determines whether the breach is reportable:  Is the sensitive information reasonably believed to have been acquired by an unauthorized person? And is the unauthorized acquisition reasonably likely to cause substantial harm to the individuals?

The law sets forth four factors to consider when evaluating whether the information is “reasonably believed” to have been acquired by an unauthorized individual. In making this determination, the covered entity must evaluate “indications that the information is in the physical possession and control of a person without valid authorization, such as a lost or stolen computer or other device containing information; indications that the information has been downloaded or copied; indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported; and whether the information has been made public.” Unfortunately, the law does not provide guidance on whether the breach is reasonably likely to cause substantial harm to the affected individual.

Even if a breach is not a reportable event, the covered entity must maintain relevant records for at least five years. For instance, if the covered entity determines the breach is not reasonably likely to cause substantial harm then no notification is required, but the entity should keep all records related to the breach and their determination that notification was not necessary for five years following the incident.

Required Security Measures

The proposed legislation also requires covered entities to implement “reasonable security measures” to protect an individual’s data.  Similar to HIPAA, the bill requires the covered entity to designate an employee to coordinate security measures (i.e. HIPAA Security Officer) and to identify risks of data breaches. In recognizing that not all covered entities face the same risks or have the same resources, the required “reasonable” security measures should take into account the size of the covered entity, the amount of data maintained and stored by the covered entity and the cost to implement security measures. Good news for healthcare providers, if a healthcare provider has performed the necessary security and risk assessments required under HIPAA, it should easily meet the standards required in SB318.

Information that Triggers Notification

Not all information qualifies as “sensitive personally identifiable information.” To meet this definition, the accessed information must consist of the individual’s first name or initial and last name in combination with any one of these data elements:

  • A non-truncated (or shortened) Social Security or tax identification number;
  • Non-truncated driver’s license, state-issued identification card number, passport number, military identification number or any unique, government-issued number used to verify identity;
  • A financial account, credit or debit card number along with a required security code, expiration date, PIN, access code or password necessary to access a financial account or conduct a transaction;
  • Individual medical or mental history or treatment information;
  • A health insurance policy or identification number; and
  • A username or email address along with a password or security question and answer that gives access to an online account that is likely to contain sensitive personal information.

Elements and Method of Notification

If the investigation concludes that notification must be made, the covered entity must provide notification as “expeditiously as possible but no more than 45 days after the determination of the breach. The notification may be made by mail or email and must include the following elements: 

  • The date, estimated date, or estimated date range of the breach;
  • A description of the sensitive personally identifying information that was acquired by an unauthorized person as part of the breach;
  • A general description of the actions taken by a covered entity to restore the security and confidentiality of the personal information involved in the breach;
  • A general description of steps a consumer can take to protect himself or herself from identity theft; and
  • Information that the individual can use to contact the covered entity to inquire about the breach.

Penalties

The legislation also includes penalties for failing to provide the required notifications, including a potential violation of the Alabama Deceptive Trade Practices Act (“ADTPA”). The Deceptive Trade Practice Act penalties would apply for willful or reckless disregard of the notification requirements. Civil money penalties are capped at $5,000 per day for each consecutive day the covered entity fails to comply with the notice provisions and there is a $500,000 cap for violations under the ADTPA. A violation does not constitute a criminal offense and does not provide for a private right of action.  In other words, a patient/consumer cannot sue the covered entity for the breach.

The bill is currently pending before the Alabama House of Representatives, bill number HB410.

Article contributed by Burr & Forman, LLP. Burr & Forman, LLP, is a partner with the Medical Association. Please read other articles from Burr & Forman, LLP, here.

Pin It

Tags: , , , ,

Posted in: Legal Watch

Leave a Comment (0) →

Cyber Security:  Five Common Phish Attack Schemes

Posted by on
Cyber Security:  Five Common Phish Attack Schemes

Hackers only need you, that’s right just you. They are sneaky and know the general population is busy and doesn’t pay close attention to the emails they receive. Hackers know people are comfortable in their daily habits. They exploit this behavior by creating email scenarios designed to encourage a click. They need just one person to click just one time to infect their computer with malware that grants them access to the information they need to launch a more sinister attack.

“Phishing attacks are by far the most common cyber attack today, and these attacks continue to get more and more sophisticated.  Gone are the days of the ‘dear sir’ attack-now we have to worry if an email appearing to be directly from a co-worker is actually from them,” said Steven Hines, president of Threat Advice.

Because hackers are continually changing their tactics, clicking on a nefarious email or link leading to a cyber attack can happen to anyone. Recognizing the threat before it turns into a disaster is just one way we each can be more prepared. The following are five ways hackers are currently trying to access your business and personal information:

  1. Look but don’t click. If the email address or the attachment name seems “phishy,” it probably is. Are there spelling or grammatical mistakes? Companies with professional staff are not going to make these types of mistakes.
  2. Analyze the salutation and signature closely. Most legitimate businesses will use your name rather than a generic greeting like “Dear customer.” The business should provide ways to contact them in the signature. If that’s not provided, it could be a phishing attempt.
  3. Know your brands. Hackers will spoof your favorite brands and make their emails look enough like the actual brand to fool you. Is the logo color wrong? Are there additional words in the brand name? Did you sign up to receive emails from them? Don’t click any links before you examine the email to confirm the sender.
  4. Urgent or Threating – No one likes a bully. A common phishing technique is to use harassing or threating language in the subject line or email content or to create a sense of urgency to handle a fake problem. Most legitimate banks, utilities/municipalities and businesses will not ask you to provide your private information via email nor threaten you in an email.
  5. What grandma said…“If it’s too good to be true, it probably is!” Hackers will continue to send phishing emails promising riches and prosperity if you only send your social security and bank information. Why? Because unfortunately, people still take the bait.

Article contributed by Cobbs Allen. Cobbs Allen is an official Gold Partner with the Medical Association. For more information about cyber liability insurance and how it protects your business, contact Margaret Ann Pyburn.

Pin It

Tags: , , , , , , , , , , ,

Posted in: MVP

Leave a Comment (0) →

What Eight Things You Should Do to Protect Your Business from Cyber Threats

Posted by on
What Eight Things You Should Do to Protect Your Business from Cyber Threats

Cyber threats take many forms. The widespread WannaCry ransomware attack in May 2017 highlighted how computer files could be held hostage in return for payment, while the Dyn denial of service in October 2016 highlighted how websites like Airbnb and Twitter could be made inaccessible. Cyber threats are on the rise within the health care industry, as the information gained as a result is lucrative in value. Thus, it is important every physician practice take steps to protect itself from a cyberattack.

Identify the types of cyberattacks to which your practice is most likely vulnerable.

By doing so, you can invest in measures that will be most relevant to your practice. For instance, practices that host websites must preempt denial of service attacks, while those that hold private customer information electronically must prevent unauthorized access to their data. Of course, many practices will likely be vulnerable to a variety of cyberattacks.

Develop a framework to prevent, investigate and respond to the cyberattacks to which your practice is most vulnerable.

In 2014, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) issued and continues to update, a voluntary Framework for Improving Critical Infrastructure Cybersecurity (the “Framework”). In addition to their own independent initiatives, practices should periodically consult the Framework to keep abreast of cybersecurity best practices in order to assess their security status relative to others. In addition, the website for the Office of Civil Rights, the government entity responsible for HIPAA compliance, contains guidance on various cybersecurity topics that may also prove helpful.

Invest in the latest computer security and protection measures.

To the extent feasible, practices should strive to use the most up-to-date software and avail themselves of periodic releases of software updates. Cyberattack methods constantly evolve, and older versions of software are more vulnerable to newer and more complex threats. For example, victims of the WannaCry ransomware attack were mainly those organizations that ran older versions of Windows operating software. Practices should also consider regularly backing up data and insulating that data from their computer network, segmenting their computer network, and monitoring network activity.

Implement employee vigilance and training measures.

Perpetrators of cyberattacks often employ phishing scams by sending emails with attached malware to individuals who then promptly download the attachments and infect their employers’ computer networks. Practices should train employees to identify suspicious emails in order to guard against phishing schemes. Such training can be incorporated into your practice’s periodic HIPAA training.

Given that malicious emails are often sent by seemingly familiar senders, practices should teach employees how to spot subtle clues that indicate dangerous emails. For instance, employers should instruct employees to check whether the domain name of the originating account is a “near-miss” from what would be expected. For example, an employee recognizing “dot com” and “dot co” could be the difference in avoiding hefty losses.

Test your cybersecurity measures and monitor the effectiveness.

To test whether employees take instructed precautions against phishing attacks, practices should send their employees emails from a “near-miss” domain and tally how many employees fall for them. Of course, even after enhancing computer security systems and increasing employee awareness of network defenses, practices may nonetheless succumb to a cyberattack, but at least the chances of doing so may be reduced.

Obtain effective cyberattack insurance coverage.

Practices should compare potential damages in the event of a cyberattack to the coverage provided in their existing insurance policies and seek out supplementary insurance for any uncovered damages or liabilities that may arise in the event of a cyberattack. For instance, since courts are divided as to whether computer systems constitute “tangible property” for purposes of an insurance claim, practices should consider consulting their insurance companies, brokers, or legal counsel to obtain insurance that covers the types of damages that arise in cyberattacks, including, but not limited to, expenses associated with providing patients with written notice when a reportable HIPAA breach occurs.

Adopt an effective legal strategy for your practice that preempts and limits liability.

As practices retain confidential personal and medical information, any data breach or unauthorized disclosure could subject the practice to liability under a host of federal and state law claims, in addition to HIPAA fines and penalties. Thus, the establishment of an effective legal strategy that preempts and limits liability is essential.

Employ traditional security measures for your practice at locations that could be vulnerable to physical disruption of your cyber capabilities.

Practices should account for some of the more traditional ways in which perpetrators can disrupt their computer networks. To prevent someone from unplugging the power source to a computer network or server, you could consider installing CCTV cameras and limiting access to such areas. In addition, have security incident procedures in place and be prepared to continue operations if an interruption occurs. For example, if an interruption with respect to your EMR system occurs, be prepared to continue business utilizing paper medical records until the interruption can be resolved and your EMR is back online.

Article contributed by David D. Dowd III, Elizabeth B. Shirley and Kelli C. Fleming with Burr & Forman LLP practicing in the firm’s Health Care Industry Group. Burr & Forman LLP, is an official Bronze Partner with the Medical Association.

Pin It

Tags: , , , ,

Posted in: Technology

Leave a Comment (0) →

“WannaCry” Ransomware Holds True to its Name

Posted by on
“WannaCry” Ransomware Holds True to its Name

This week, countries around the world faced an unprecedented cyber security attack. On May 12, 2017, the Critical Infrastructure Protection Lead for the Department of Health and Human Services Laura Wolfe first reported it as a “significant security issue.” Hours later, the Department of Homeland Security’s Computer Emergency Readiness Team warned the public of a malware virus called “WannaCry.” As with typical ransomware, an individual would receive an email purposely designed to look like an email sent by a business or individual the recipient may be familiar with and contain either a link or attachment. Once opened, the virus spreads giving the attackers access to computer systems and the ability to encrypt the information and extort money from the victim.

What’s the relationship between HIPAA and ransomware?

When a health care entity is the victim of a ransomware attack, the protected health information accessed during the attack is considered to be breached. Therefore, unless the affected entity can prove the information was encrypted prior to the attack, it must go through all of the usual steps to comply with the HIPAA Breach Notification Rule. This includes, but is not limited to, reporting the breach to people whose information was compromised no later than 60 days from discovering the breach. If the breach includes the protected health information of greater than 500 people, there must also be contemporaneous notice to HHS and news media outlets.

Why can’t you just follow the money?

Often, individuals connected to ransomware activity will use a currency called “Bitcoin.” Since around 2009, bitcoin has allowed for the exchange of goods and services without regard to the identity of the sender or recipient. Since there is no bank to act as a conduit, there are no transaction fees which have allowed the use of bitcoins to increase in popularity among merchants. However, the anonymous nature of the transactions makes it difficult, if not impossible, to trace. This anonymity makes it a currency of choice among hackers.

Who does this affect?

Many health care entities built their information technology infrastructure around Windows XP when it was introduced in 2001. Windows XP was discontinued in 2014 and is no longer supported by Microsoft. As a result, it has not received necessary updates or security patches. Due to its initial popularity, many entities may still have at least one Windows XP device and have been sluggish to fully convert to a more secure operating system. Fortunately, as of the date of this article, experts have been able to identify the threat and dramatically slow the spread of the most recent virus. However, health care entities must be vigilant about addressing these cyber security concerns. Hackers are aware of these vulnerabilities and will continue to use their resources to exploit those weaknesses.

How can you protect yourself?

Make sure that you are using up-to-date antivirus software, and be sure to implement updates and patches as they are made available. Educate your staff on the importance of not opening suspicious emails, and teach them how to look for subtle irregularities hackers often use when they are attempting to pose as someone familiar to the recipient. Additionally, ensure you and your staff never click on links in emails that appear bizarre. A common example is an email from your banking institution that you were not expecting or a link to collect a fictitious lottery prize.

Victims of this cyber crime are encouraged not to pay the ransom because most often the information is still not made available by the hacker. Instead, if you believe that your system has been exposed to this malicious software, please report this threat to authorities. You can begin the process by contacting your FBI Field Office Cyber Task Force by visiting https://www.fbi.gov/contact-us/field-offices.  You can also report cyber incidents to the US-CERT and FBI’s Internet Crime Complaint Center at https://www.ic3.gov/default.aspx.

Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.  www.dunsongroup.com

Pin It

Tags: , , , , , ,

Posted in: Liability

Leave a Comment (0) →

Managing Your Practice: Is Your Practice Cyber Secure?

Posted by on
Managing Your Practice: Is Your Practice Cyber Secure?

With the increased use of technology in health care comes the increased risk of cyber attacks and cyber liability, as well as regulatory investigations, fines and penalties. Anything created, stored or transmitted electronically is at risk of being compromised by an innocent mistake or – worse yet – maliciously stolen by a criminal.

According to a compilation of data breach statistics, there were 1,673 reported data security breach incidents worldwide in 2015, and 1,222 of those occurred in the United States. Of that total, 374 – approximately 22 percent – were breaches of medical or health care information. This equated to more than 134 million individual health care data records being accessed or stolen by cyberattacks just in calendar year 2015 alone.1

Many people don’t believe — or understand why — medical information is valuable or at risk.

Medical records are targeted because they contain a wide variety of a patient’s personal information: social security number, financial, health, demographic and family information. This gives criminals many potential uses for the stolen information, including identity theft and applying for credit cards, store accounts, or other lines of credit. But they also use the information to purchase medical equipment and pharmaceuticals that can be resold, or to fraudulently bill health insurers or the government for fictitious medical care by masquerading as health care providers. One cybersecurity expert estimates that a medical record can fetch up to $50 on the black market, while a credit card number may go for as little as $5.2

Big or small, all health care organizations are at risk.

Large health care systems, hospitals, group practices and individual health care providers have all been attacked, but the size of the entity is no clear indication of the size of the breach. One need only reference the HIPAA data breach “wall of shame” to bear out the truth of this assertion. Data breach incidents at very large organizations have exposed anywhere from several hundred to several million patient records. Likewise, cyber attacks on small solo practices — though frequently in the range of several hundred to several thousand — have exposed tens of thousands of patient records with a single breach.

Transition to EHRs, dated systems, and weak security measures pave the way for cyberattacks.

The transition to electronic health records has given criminal hackers more opportunities to steal medical records. The chief information officer for a hospital system in Utah estimates his hospital’s EHR system fends off thousands of attempts to penetrate its network each week.3

Another reason is ease of access. Many hospitals and physician practices are using EHR systems that have not been updated in more than 10 years. While hospitals and physician practices grappled with more urgent matters like ICD-10 implementation and Meaningful Use, robust cybersecurity measures fell down the priority list. Once a hacker penetrates whatever security the system does have, the exposed information is there for the taking.4

Cyberattacks on EHR systems take many forms.

In addition to outright theft of medical information, emerging cyber threats also include various forms of cyber terrorism and cyber extortion. Recent reports of ransomware attacks are particularly troublesome. Sophisticated hackers launch malicious codes (typically via entry through email) that crawl through a target’s computer system, encrypting and locking up data files, and then demand payment (ransom) in exchange for providing the decryption key. Cybersecurity experts believe health care providers make good targets for ransomware attacks because they do not typically have the advanced backup systems and other resilience measures in place that are typical of other types of organizations.5

What can you do to safeguard EHRs and protect patient information?

Patient trust in your practice’s ability to protect medical information is critical. To maintain that trust, it is important to have safeguards in place that help prevent data breaches. When implementing or updating an EHR system for your practice, talk to your vendor about cybersecurity. Ask whether the stored information is encrypted. It is also a good idea to determine if or when the vendor will provide security updates for your EHR software.

You may need to invest more resources in shoring up the walls around your electronically stored and transmitted data. Cybersecurity is a highly specialized area that requires a certain degree of expertise and experience. Your EHR vendor may be able to provide some assistance in this area, but remember their expertise is more about creation and functionality and less about security. Hiring an in-house cybersecurity expert or contracting with a cybersecurity firm specializing in this area may be the best option to protect your practice and your patients.

ProAssurance also helps protect you against cyber liability threats.

ProAssurance is also committed to helping you reduce uncertainty and increase the control you have over cybersecurity — it’s only fair. That’s why we partnered with NAS Insurance Services to provide coverage for certain types of cyber liability risk exposures. This coverage, called CyberAssurance Plus®, is now embedded in your existing ProAssurance professional liability insurance policy and is provided at no cost to you. Through CyberAssurance Plus® you have coverage for Network Asset Protection, Privacy Breach Response Costs and Patient Notification Expenses, Patient Support and Credit Monitoring Expenses, Privacy and Security Liability, as well as coverage for Regulatory Defense Costs and certain Fines and Penalties. This embedded coverage was recently enhanced to also include coverage for Multimedia Liability, Cyber Extortion and Cyber Terrorism, PCI DSS Assessments, and a unique coverage feature called BrandGuard® for lost revenue as a result of an adverse media report or customer notification of a security or privacy breach. Your CyberAssurance Plus® coverage is limited to $50,000 per claim and subject to an annual aggregate limit (determined by group size) for all claims in a single policy year. You may, however, purchase higher coverage limits for cyber liability threats through ProSecure®, which is a co-branded insurance program with NAS Insurance Services that is exclusive to ProAssurance insureds. Through ProSecure® you can purchase an additional $1 million in cyber liability coverage that is designed to work seamlessly with CyberAssurance Plus® coverage already embedded in your ProAssurance policy.

As a ProAssurance insured, you and your staff also have access to webinars, toolkits, bulletins, posters, FAQs, and online training programs to help you address cyber liability risks. For example, you can access:

  • Summaries of major changes to the HIPAA/HITECH Rules (effective September 2013), including required changes to your Notice of Privacy Practices; the expanded definition of Business Associates (with updated sample Business Associate and Vendor Agreements); and patients’ ability to request medical records in electronic form
  • Webinars, tool kits, and sample documents, including basic data privacy/security, encryption, and destruction practices; sample HIPAA Privacy/Security Rule policies and procedures; social media training tools; sample mobile and personal device user policies, procedures, and agreements; and how to implement a data security plan
  • Breach notification requirements under federal and state laws (where applicable); sample HIPAA Breach/Risk Assessment Worksheets; examples of incidents to report, how to report data security incidents, and more

You can access these resources from NAS Insurance Services’ Data Security Risk Resource Website through your proassurance.com account. Please Note: Content on the NAS Insurance Services’ Data Security Risk Resource Website is provided by third party sources. ProAssurance is not responsible for the content and does not consider it to be legal advice.

For more information about cyber liability, cybersecurity, risk management, CyberAssurance Plus® and ProSecure®, contact your ProAssurance representative. Article by ProAssurance, a Platinum Partner with the Association. ProAssurance insured physicians and their practice managers may contact Risk Resource for prompt answers to liability questions by calling (844) 223-9648 or email riskadvisor@proassurance.com.

SOURCES

1   2015 The Year Data Breaches Got Personal: Findings from the 2015 Breach Level Index. Gemalto website. http://www.gemalto.com/press/Pages/Gemalto-releases-findings-of-2015-Breach-Level-Index.aspx. February 23, 2016. Accessed September 8, 2016.

2   Murphy T., Bailey B. Hackers mine for gold in medical records. The Boston Globe website. https://www.bostonglobe.com/business/2015/02/06/why-hackers-are-targeting-medical-sector/xxjFN6G3cFJZ8Fh3mF3XhN/story.html. February 6, 2015. Accessed September 1, 2016.

3   Humer C., Finkle J. Your medical record is worth more to hackers than your credit card. Reuters website. http://www.reuters.com/article/2014/09/24/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924. September 24, 2014. Accessed September 1, 2016.

4   Radcliffe S. Patients beware: hackers are targeting your medical information. Healthline News website. http://www.healthline.com/health-news/hackers-are-targeting-your-medical-information-010715#1. January 7, 2015. Accessed September 1, 2016.

5   Conn J. Hospital pays hackers $17,000 to unlock EHRs frozen in ‘ransomware’ attack. Modern Healthcare website. http://www.modernhealthcare.com/article/20160217/NEWS/160219920. February 18, 2016. Accessed September 1, 2016.

Pin It

Tags: , ,

Posted in: Management

Leave a Comment (0) →

Don’t Fall Victim to Cyber-Security Disasters

Posted by on
Don’t Fall Victim to Cyber-Security Disasters

Editor’s Note: This article was originally published in the 2015 Fall Issue of Alabama Medicine magazine

Every day, it seems the news is filled with more and more reports of cyber-security attacks. Unfortunately, the health care community is considered a prime target for those individuals who would seek to gain access to confidential information.

Did you know that stolen medical records can be valued at up to 10 or 20 times that of a credit card number?1 Compounding this is the ever-growing reliance within the medical community upon electronic and digital systems to capture patient data and deliver medical care. So how can health care providers protect themselves from being the victim of a cyber-security incident?

Assess and Manage Your Risk

Medical providers should have a comprehensive knowledge of where their critical information resides, and of any and all vulnerabilities related to the storage and transmission of the data. To ensure that those in the medical community recognize the threat(s) to confidential information, the United States Department of Health and Human Services mandated within the HIPAA Security Rule that all covered entities conduct a thorough risk analysis to identify all potential vulnerabilities as well as determine the probability and magnitude of a possible security event.2

While a risk assessment should be a formal exercise in which all facets of information security are reviewed and vetted for adequacy, the provider should also establish and maintain a strategy for risk management. This involves implementing proper safeguards to secure information as well as communicating and educating personnel throughout the organization on the policies and procedures which continually mitigate risk. By creating and cultivating a culture of compliance, one can significantly reduce the chance of exposing a vulnerability that could lead to unauthorized access.

Increase Detection Capabilities

Recent cyberattacks in the health care community have exposed a very dangerous trend: Many times, hackers have accessed and begun harvesting data several weeks or even months prior to being detected.3 It is no longer sufficient for medical providers to consider security safeguards, such as firewalls and anti-virus software applications as “set-it-and-forget-it” mechanisms. Solutions should be implemented to enable the monitoring and detection of breaches that could trigger proper incident response processes quickly and efficiently.

Health care organizations should consider investing in Next-Generation Firewalls. These security devices provide more than just network filtering – they typically offer advanced security features, such as deep packet inspection (where each specific data part that passes through is examined for viruses or other types of malicious software) as well as intrusion prevention systems that monitor network traffic for malicious activity and are configured to actively prevent or block such attempts once detected.In addition to these technologies, other applications, such as Security Information and Event Management Systems, allow for real-time analysis and monitoring of systems. These solutions can be configured to alert the proper personnel in the event of a suspicious activity (e.g., multiple failed system logins) and allows for the organization to establish a proactive stance against unauthorized access to critical systems.

In addition to these technologies, other applications, such as Security Information and Event Management Systems, allow for real-time analysis and monitoring of systems. These solutions can be configured to alert the proper personnel in the event of a suspicious activity (e.g., multiple failed system logins) and allows for the organization to establish a proactive stance against unauthorized access to critical systems.

Protect and Secure Mobile Devices

According to the 2014 SANS Health Care Cyber-Security Survey, 52 percent of respondents allow access to health record information via mobile devices. Another 30 percent indicated that sensitive data was being included in instant messaging applications.4 As mobile device usage continues to grow, it becomes more and more important for healthcare providers to implement a mobile device management policy to address and minimize the threat of these devices causing a security incident.Specific to the mobile device itself, all providers should ensure that both authentication (via password or PIN code) and encryption are enabled on all devices. Furthermore, public Wi-Fi networks should not be used in situations where health information will be transmitted. Secure, encrypted connections, such as SSL VPN should be established when accessing corporate resources remotely. Providers should also implement technologies that can remotely wipe or disable mobile devices that are lost or stolen.

Specific to the mobile device itself, all providers should ensure that both authentication (via password or PIN code) and encryption are enabled on all devices. Furthermore, public Wi-Fi networks should not be used in situations where health information will be transmitted. Secure, encrypted connections, such as SSL VPN should be established when accessing corporate resources remotely. Providers should also implement technologies that can remotely wipe or disable mobile devices that are lost or stolen.As much as one can try to protect and mitigate risk related to the mobile device itself, the user of the device can still pose a significant liability. In addition to addressing the physical device, organizations should also invest in continuing education and training for users, as well as maintain strict policy and procedures related to the use of the device in providing medical care.

As much as one can try to protect and mitigate risk related to the mobile device itself, the user of the device can still pose a significant liability. In addition to addressing the physical device, organizations should also invest in continuing education and training for users, as well as maintain strict policy and procedures related to the use of the device in providing medical care.

Looking Ahead

The SANS report data shows that the health care industry is slowly starting to make strides and improve when it comes to protecting critical data from attack. However, it has become clear that not only are the hackers getting smarter, but their overall activity and attempts to infiltrate and mine confidential information continue to increase significantly.5 A 2014 report in United States Cyber Security Magazine indicated that the health care industry was the target of more cybercrime incidents than any other market, and this trend is likely to continue as hackers start to realize the value of medical information.6

Health care organizations will need to continue to thoroughly examine and assess the ways in which they are protecting themselves from attack. Analysis will need to be conducted internally and externally, as associated organizations such as payers, insurers, and other entities within community health care networks will be responsible to each other for protection of medical information. By effectively assessing and managing risk and building a risk framework that addresses all areas of critical data, medical providers can take significant steps towards minimizing the likelihood of a cybersecurity attack.

Sources

  1. http://www.reuters.com/article/2014/09/24/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924
  2. http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf
  3. http://krebsonsecurity.com/2015/02/anthem-breach-may-have-started-in-april-2014/
  4. https://www.sans.org/reading-room/whitepapers/analyst/threats-drive-improved-practices-state-cybersecurity-health-care-organizations-35652
  5. http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en-us.pdf
  6. http://www.uscybersecurity.net/Pages/online_magazine.html

The information in this article is not intended as tax or legal advice. Please consult your tax advisor for specific information regarding your individual situation.

Contbronzemvpributed by Nic Cofield, Jackson Thornton Technologies Consultant. Jackson Thornton is a Certified Public Accounting and Consulting Firm and an official partner with the Medical Association.

Pin It

Tags: , , , ,

Posted in: Management

Leave a Comment (0) →