Chris Manning, CISSP, GSEC, QSA, CISAThe National Institute of Standards and Technology (NIST) and the Office for Civil Rights (OCR) recently hosted another informative conference focused on safeguarding patient information. Representatives from Protiviti’s healthcare/cybersecurity team attended the annual event, which brings together a diverse group from across the healthcare industry, including government, healthcare delivery organizations (HDOs)/providers, business associates, professional services, and others to discuss one goal – how to most effectively provide the best patient care while keeping sensitive patient information safe and secure. As in previous years, this conference included a keynote presentation from Roger Severino, director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights, general sessions on security and privacy theory, detailed “deep-dive” sessions on technologies such as application program interfaces (APIs), and a capstone presentation on recent HIPAA enforcement actions from Serena Mosley-Day, Senior Advisor for HIPAA Compliance and Enforcement with HHS.
Here are some of the key takeaways we noted at the 2019 conference:
Right of Access to Records: This remains an important area of concern. Patient-facing apps, portals, and the complicated APIs that make them all work together are here to stay as patients move to “own” their health information. Apps and portals are fast becoming the norm of the industry. The OCR is placing an emphasis on a patient’s right to access their own health information and cracking down on HDOs that are dragging their feet. Several presentations reiterated the importance of this HIPAA privacy principle, and most referenced the recent settlement with Bayfront Health – St. Petersburg for $85,000 for one particular (yet egregious) infraction.
Medical Devices are Evolving: Multiple speakers discussed the challenges of securing medical devices as part of their core presentations or as personal asides. The reality is that the HIPAA Security Rule was designed to be flexible and scalable for organizations of varying shapes and sizes. Medical device security is a very complex topic and it is not going to be solved by one manufacturer or HDO alone. The relatively new addition of wearables and IoT devices to the medical device world adds to the challenge. It’s a team sport and will require help from many stakeholders to make meaningful change in order to protect patient safety and data security. To learn more, read Protiviti’s recent blog on this topic.
Breach Trends – Lost/Stolen Laptops Down, Hacking Up: Several speakers, including Severino and Mosley-Day of HHS, commented on the fact that from a trend perspective, hard-drive encryption has lessened the focus on reportable data breaches related to lost/stolen computing devices such as laptops and smartphones, and breaches via these devices are decreasing. On the flip side, “hacking” as a threat actor continues trending upward. Most concluded this is due to increased efforts and complexity in various types of phishing campaigns (see next point). It’s worth noting here that at least one conference presentation on the Verizon data breach investigation report (DBIR) highlighted that top healthcare “errors” were from misdelivery, disposal errors and misconfiguration. These results are consistent with what we’re hearing from clients on specifics related to how minor data breaches (affecting < 500 users) are occurring.
Ransomware and Phishing Continue to be Top Concerns: Ransomware and phishing threats continue to be a top of mind concern for the healthcare industry. After WannaCry crippled UK hospitals and parts of the U.S., HDOs are expected to maintain strong perimeter controls, backups of key systems, and data to prevent / remediate ransomware events. Several presenters told their personal stories of wild phishing attempts. Mosley-Day nodded to the fact that sub-genres of phishing have spawned depending upon their target or method of delivery, such as whale phishing – targeting important individuals/executives, vishing – phishing over voice/telephone lines (for example, impersonating the IT helpdesk), and spear phishing – targeting very specific high-profile individuals, etc. It would appear that hackers still have a heart, as pointed out in one presentation that reported denial of service (DOS) incidents on healthcare entities are still in single-digit numbers (three to be exact) as opposed to financial services (575) and professional services (408).
Key Resources: On a final note, many of the presentations from this year’s conference provided great links to various resources. All conference presentations are available online, but here are links to a few we think are especially helpful:
- HHS Privacy and Security Email Listservs
- HHS FAQ on the Access Right, Health Apps and APIs
- HHS & OCR on Twitter: @HHSOCR
- Protiviti Healthcare Cybersecurity
- 2019 Verizon Data Breach Investigation Report
As in years past, one of the key themes from this year’s event was that HIPAA Security is a journey, not a destination. As technology continues to advance, organizations remain on alert to stay ahead of the bad guys and to interpret and comply with HIPAA. It is vital that organizations (big or small) are conducting an accurate and thorough risk analysis. Protiviti can help with this exercise, as well as other security and compliance planning, assessment, remediation, and response work. HDOs should be asking themselves:
- Has my organization executed an accurate and thorough HIPAA Security Risk Analysis, according to the guidance published by the OCR?
- Do we have mechanisms in place to drive HIPAA compliance efforts?
- Do we understand, and can we quantify, what risks our patients and organization faces related to the security of medical devices?
- Is this focused on patient safety as well as patient data?
- Is my organization prepared to respond in the event of a major cybersecurity-related event?
- Have we performed tests to verify our level of preparedness?
Joe Breithaupt
James Eick
Varun Ravi
Jody Casey
Brandon Wardlaw
