.st0{fill:#FFFFFF;}

Podcast

Crawl Out Through The Fallout – Ep 464 

 June 28, 2024

By  Donna Grindle

Share0
Tweet0
Share0

What happens when healthcare giants falter in the face of cyber threats? Today, we dive into the critical need for better cybersecurity investments, continuous training and education and robust cybersecurity standards. We will explore the fallout from UHG’s cyber incident and break down three fiery letters from US Senators demanding accountability and stricter regulations for cybersecurity practices in healthcare.

A 5 star review is all we ask from our listeners.
1x
Apple PodcastsGoogle PodcastPlayer EmbedShare Review Us on Apple PodcastsListen in a New WindowDownloadSoundCloudStitcherSubscribe on AndroidSubscribe via RSSSpotify
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

Crawl Out Through The Fallout – Ep 464

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

Thanks to our donors.

405(d) Tip of the Week

[03:24]

Your Access Matters: Treat all Keys with Care!

Today’s topic: Access Management

Why is it important? Each employee has responsibilities to carry out that require various levels of access to systems, networks, and programs. Allowing too much access to all employees or declining to end former employee access can introduce threats to patient safety. This video helps users understand the importance of the mitigation tactic Access Management and provides helpful tips to implement the tactic.

Be on the lookout for the next installment of this series! And remember:

A Quick Shot A Day Keeps Cyber Criminals Away!

[05:55] Good news for rural hospitals.

FACT SHEET: Biden-Harris Administration Bolsters Protections for Americans’ Access to Healthcare Through Strengthening Cybersecurity | The White House

Microsoft, Google offer cybersecurity resources for rural hospitals

They have committed to low and no cost help for all 1,800-2,100 rural hospitals across the nation.

As part of this initiative to improve security and resilience of our rural hospital system, our private sector partners have committed to the following:

  • For independent Critical Access Hospitals and Rural Emergency Hospitals, Microsoft is extending its nonprofit program to provide grants and up to a 75% discount on security products optimized for smaller organizations. For participating larger rural hospitals already using eligible Microsoft solutions, Microsoft is providing its most advanced security suite at no additional cost for one year. Microsoft will also provide free cybersecurity assessments by qualified technology security providers and free training for frontline and IT staff at eligible rural hospitals throughout the country to deepen our resiliency to malicious cyberattacks. Additionally, Microsoft will extend security updates for Windows 10 to participating hospitals for one year at no cost.
  • Google will provide endpoint security advice to rural hospitals and non-profit organizations at no cost, and eligible customers can get discounted pricing for communication and collaboration tools and security support and a pool of funding to support software migration. In addition, Google is committing to launch a pilot program with rural hospitals to develop a packaging of security capabilities that fit these hospitals’ unique needs.

Crawl Out Through The Fallout

[13:23] The fallout from the UHG attack continues and the things we are seeing, while not all new, are going to get backing like they never have before.

There are a lot of tidbits in these letters but it is clearly coming from a lot of different angles that a deeper investigation must be done.

Letters went to HHS and both the FTC and SEC about the findings from the Senate Finance Committee hearings. Here are some specific excerpts from them that you may need to quote them in some of your meetings and discussions.

Letter to FTC and SEC on UHG Cybersecurity excerpts:

The consequences of UHG’s apparent decision to waive its MFA policy for servers running older software are now painfully clear. But UHG’s leadership should have known, long before the incident, that this was a bad idea.
Hackers gaining access to one remote access server should not result in a ransomware infection so serious that the company must rebuild its digital infrastructure from scratch.
In addition to the company’s cybersecurity failures, the company also clearly failed to plan for ransomware and to ensure that its digital infrastructure could be promptly restored in hours or days, rather than weeks.

This next bit was really specific in ways that all the folks in the CISO roles should make note of for future reference.

One likely reason for UHG’s negligence, and the company’s failure to adopt industry-standard cyber defenses, is that the company’s top cybersecurity official appears to be unqualified for the job. Steven Martin, UHG’s chief information security officer (CISO), had not worked in a fulltime cybersecurity role before he was elevated to the top cybersecurity position at UHG in June, 2023, after working in other roles at UHG and Change Healthcare. Although Mr. Martin has decades of experience in technology jobs, cybersecurity is a specialized field, requiring specific expertise. Just as a heart surgeon should not be hired to perform brain surgery, the head of cybersecurity for the largest health care company in the world should not be someone’s first cybersecurity job.
Due to his apparent lack of prior experience in cybersecurity, it would be unfair to scapegoat Mr. Martin for UHG’s cybersecurity lapses. Instead, UHG’s CEO and the company’s board of directors should be held responsible for elevating someone without the necessary experience to such an important role in the company, as well as for the company’s failure to adopt basic cyber defenses. The Audit and Finance committee of UHG’s board, which is responsible for overseeing cybersecurity risk to the company, clearly failed to do its job. One likely explanation for this board-level oversight failure is that none of the board members have any meaningful cybersecurity expertise.

UnitedHealth leaders ‘should be held responsible’ for installing inexperienced CISO, senator says is a good article discussing that point further.

[28:09]

Letter to HHS on Cybersecurity Standards excerpts:

It is clear that HHS’ current approach to healthcare cybersecurity — self-regulation and voluntary best practices — is woefully inadequate and has left the health care system vulnerable to criminals and foreign government hackers. HHS must follow the lead of other federal regulators in mandating cybersecurity best practices necessary to protect the health care sector from further, devastating, easily-preventable cyberattacks. To its credit, HHS announced last year that it planned to update the cybersecurity regulations for the healthcare sector, which HHS has not meaningfully updated since 2003.

Specifically called out for HHS action:

HHS should require minimum, mandatory technical cybersecurity standards for systemically important entities (SIEs), including clearinghouses and large health systems. HHS should reinforce these standards and ensure broad adoption by requiring entities that participate in the Medicare program to meet these requirements.
HHS should require SIEs to meet resiliency requirements, so they are able to get back up and running quickly if they are infected with ransomware. SIEs must be capable of rebuilding their information technology infrastructure from scratch and within 48-72 hours. HHS should also stress test these companies to prove they can meet those requirements. It is not acceptable for an SIE like Change Healthcare to be down for more than 6 weeks.
HHS should conduct periodic cybersecurity audits of covered entities and business associates as part of the audits. “I urge HHS, instead, to prioritize audits of SIEs, even if those organizations were not previously subjected to HHS audits.”
HHS should provide technical assistance on cybersecurity to health care providers. The Centers for Medicare & Medicaid Services (CMS)’s Quality Improvement Organizations and Medicare Learning Network programs are vital tools at HHS’ disposal for improving the effectiveness, efficiency, and quality of health care services delivered to Medicare beneficiaries. HHS should leverage these programs to provide cybersecurity technical assistance and guidance to providers, particularly those with low resources.
[41:06] Closing paragraph is short and to the point:

The current epidemic of successful cyberattacks against the health care sector is a direct result of HHS’s failure to appropriately regulate and oversee this industry, harming patients, providers, and our national security. I urge HHS to use all of its authorities to protect U.S. health care providers and patients from cybersecurity risk.

And we all know there was a data breach and the 60 day clock has expired. A couple of Senators sent a letter directly to UHG CEO Witty. Letter to UHG re: Breach Notification

However, as of June 6 UHG continues to be in violation of the Health Information Portability and Accountability Act (HIPAA), which requires covered entities to notify individuals of a known or suspected data breach within 60 days of discovering the breach. UHG must also formally notify impacted business partners, including health care providers, in accordance with HIPAA and state law.
[46:00] We can end on the three points made in this article by MedCity News:

These 3 Things Must Change for Hospital Cybersecurity to Improve – MedCity News

  1. All healthcare employees need cybersecurity training
  2. The government must establish minimum cybersecurity standards
  3. Healthcare organizations should collaborate to address shared vulnerabilities

Crawl Out Through the Fallout (Novelty Song): Sheldon Allman (1960)

Go to top

Crawling out through the fallout of cybersecurity challenges means putting your money where your mouth is with better investments and education. Whether you’re a small clinic or a massive Systemically Important Entity like UHG, it’s essential to take cybersecurity seriously and invest in the right people and infrastructure. Make those audits count, stay informed with continuing education, and don’t just rely on antivirus programs. Remember, when cyber threats come knocking, it’s the strength and knowledge of your team that makes the difference.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Listener Survey

Special thanks to our sponsors Security First IT and Kardon.

Share 0
Tweet 0
Share 0

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: