What’s Trending in Healthcare Tech: A View from the NIST/OCR 2019 Conference

The National Institute of Standards and Technology (NIST) and the Office for Civil Rights (OCR) recently hosted another informative conference focused on safeguarding patient information. Representatives from Protiviti’s healthcare/cybersecurity team attended the annual event, which brings together a diverse group from across the healthcare industry, including government, healthcare delivery organizations (HDOs)/providers, business associates, professional services, and others to discuss one goal – how to most effectively provide the best patient care while keeping sensitive patient information safe and secure. As in previous years, this conference included a keynote presentation from Roger Severino, director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights, general sessions on security and privacy theory, detailed “deep-dive” sessions on technologies such as application program interfaces (APIs), and a capstone presentation on recent HIPAA enforcement actions from Serena Mosley-Day, Senior Advisor for HIPAA Compliance and Enforcement with HHS.

Here are some of the key takeaways we noted at the 2019 conference:

Right of Access to Records: This remains an important area of concern. Patient-facing apps, portals, and the complicated APIs that make them all work together are here to stay as patients move to “own” their health information. Apps and portals are fast becoming the norm of the industry. The OCR is placing an emphasis on a patient’s right to access their own health information and cracking down on HDOs that are dragging their feet. Several presentations reiterated the importance of this HIPAA privacy principle, and most referenced the recent settlement with Bayfront Health – St. Petersburg for $85,000 for one particular (yet egregious) infraction.

Medical Devices are Evolving: Multiple speakers discussed the challenges of securing medical devices as part of their core presentations or as personal asides. The reality is that the HIPAA Security Rule was designed to be flexible and scalable for organizations of varying shapes and sizes. Medical device security is a very complex topic and it is not going to be solved by one manufacturer or HDO alone. The relatively new addition of wearables and IoT devices to the medical device world adds to the challenge. It’s a team sport and will require help from many stakeholders to make meaningful change in order to protect patient safety and data security. To learn more, read Protiviti’s recent blog on this topic.

Breach Trends – Lost/Stolen Laptops Down, Hacking Up: Several speakers, including Severino and Mosley-Day of HHS, commented on the fact that from a trend perspective, hard-drive encryption has lessened the focus on reportable data breaches related to lost/stolen computing devices such as laptops and smartphones, and breaches via these devices are decreasing. On the flip side, “hacking” as a threat actor continues trending upward. Most concluded this is due to increased efforts and complexity in various types of phishing campaigns (see next point). It’s worth noting here that at least one conference presentation on the Verizon data breach investigation report (DBIR) highlighted that top healthcare “errors” were from misdelivery, disposal errors and misconfiguration. These results are consistent with what we’re hearing from clients on specifics related to how minor data breaches (affecting < 500 users) are occurring.

Ransomware and Phishing Continue to be Top Concerns: Ransomware and phishing threats continue to be a top of mind concern for the healthcare industry. After WannaCry crippled UK hospitals and parts of the U.S., HDOs are expected to maintain strong perimeter controls, backups of key systems, and data to prevent / remediate ransomware events. Several presenters told their personal stories of wild phishing attempts. Mosley-Day nodded to the fact that sub-genres of phishing have spawned depending upon their target or method of delivery, such as whale phishing – targeting important individuals/executives, vishing – phishing over voice/telephone lines (for example, impersonating the IT helpdesk), and spear phishing – targeting very specific high-profile individuals, etc. It would appear that hackers still have a heart, as pointed out in one presentation that reported denial of service (DOS) incidents on healthcare entities are still in single-digit numbers (three to be exact) as opposed to financial services (575) and professional services (408).

Key Resources: On a final note, many of the presentations from this year’s conference provided great links to various resources. All conference presentations are available online, but here are links to a few we think are especially helpful:

As in years past, one of the key themes from this year’s event was that HIPAA Security is a journey, not a destination. As technology continues to advance, organizations remain on alert to stay ahead of the bad guys and to interpret and comply with HIPAA. It is vital that organizations (big or small) are conducting an accurate and thorough risk analysis. Protiviti can help with this exercise, as well as other security and compliance planning, assessment, remediation, and response work. HDOs should be asking themselves:

  • Has my organization executed an accurate and thorough HIPAA Security Risk Analysis, according to the guidance published by the OCR?
  • Do we have mechanisms in place to drive HIPAA compliance efforts?
  • Do we understand, and can we quantify, what risks our patients and organization faces related to the security of medical devices?
  • Is this focused on patient safety as well as patient data?
  • Is my organization prepared to respond in the event of a major cybersecurity-related event?
  • Have we performed tests to verify our level of preparedness?

Chris Manning, CISSP, GSEC, QSA, CISA

Security and Privacy

Subscribe to Topics

Are you interested in becoming a #quantum coder? The #quantumcomputing industry is struggling to find talent. Join #ProtivitiTech host @KonstantHacker for a chat about the path to this exciting career with Peter Noell from @ColdQuanta. http://ow.ly/JkKv50KRRcW

In this #ProtivitiTech webinar, we will walk through #security breach case studies we have responded to, break down how attackers targeted and exploited the environments, and how the attacker was able to evade detection or exfiltrate #data. Register now: http://ow.ly/wFL950KQRiZ

In this #ProtivitiTech webinar, hear from panelists that are leading the way in #cybersecurity as they share their experiences on how #genderdiversity plays into the broader #talentgap and the consequences organizations will face if not addressed. http://ow.ly/KM6x50KLT9N

Business continuity and resilience are critical topics in boardrooms and among the C-suite. We have updated our guide to answer key questions, no matter the industry you’re in. Download your copy today. http://ow.ly/f75v50KPwUM

#ProtivitiTech #businesscontinuity

Identifying #cybersecurity issues and creating #riskmanagement plans can be complex. A #CISO who provides relatable information will help in planning for cybersecurity needs. Read more from #ProtivitiTech Terry Jost and Andy Retrum in @AgendaWeek. http://ow.ly/6tna50KPmi4

Load More