.st0{fill:#FFFFFF;}

Podcast

Critical to Stable Condition in 5 Years – Ep 448 

 March 8, 2024

By  Donna Grindle

Share0
Tweet0
Share0

Healthcare is inherently about trust; trust between patients and providers, trust in the efficacy of treatments, and increasingly, trust in the technology that underpins modern medicine. However, this trust is under siege by an evolving landscape of cyber threats. Today, we tackle the critical status of healthcare cybersecurity and the concerted effort the Health Sector Coordinating Council Cybersecurity Working Group has developed to transition the industry to a stable posture over the next five years.

A 5 star review is all we ask from our listeners.
Apple PodcastsGoogle PodcastPlayer EmbedShare Review Us on Apple PodcastsListen in a New WindowDownloadSoundCloudStitcherSubscribe on AndroidSubscribe via RSSSpotify
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

Critical to Stable Condition in 5 Years – Ep 448

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

Thanks to our donors.

The HIPAA Privacy and Security Boot Camp

3.5 day In Person Event

April 9, 10, 11 and 12, 2024

PriSecBootCamp.com

HIPAA Briefs

[04:13] Confirmation of what we all were thinking:

OpenAI, Microsoft Disrupt Nation-State Actors’ Malicious Use of AI

OpenAI and Microsoft disrupt Nation-State actors using ChatGPT for malicious purposes. You can read the full article, but let’s highlight a few things this brings up:

  • We not only know for sure criminals are using it (no shocker there) but we get a glimpse into what they are using it to do:
    • translate technical papers;
    • retrieve publicly available information on multiple intelligence agencies and regional threat actors;
    • assist with coding;
    • research common ways processes could be hidden on a system;
    • scripting support related to app and web development;
    • generating content likely for spear-phishing campaigns;
    • researching common ways malware could evade detection;
    • identify experts and organizations focused on defense issues in the Asia-Pacific region;
    • understand publicly available vulnerabilities;
    • help with basic scripting tasks;
    • open-source research into satellite communication protocols and radar imaging technology
  • Your AI activities and data are being monitored, stored, and examined.
  • By terminating accounts and limiting access, OpenAI and Microsoft have temporarily contained the threat. However, they acknowledge that powerful AI systems are now widely accessible, making it difficult to control their use.

HIPAA Say What!?!

[10:23]

Green Ridge Behavioral Health, LLC Resolution Agreement and Corrective Action Plan | HHS.gov

Ransomware attack in Feb 2019. 14k patients. $40k, 3 year cap

Signed October 31, 2023

Ransomware is growing to be one of the most common cyber-attacks and leaves patients extremely vulnerable. These attacks cause distress for patients who will not have access to their medical records, therefore they may not be able to make the most accurate decisions concerning their health and well-being. Health care providers need to understand the seriousness of these attacks and must have practices in place to ensure patients’ protected health information is not subjected to cyber-attacks such as ransomware.OCR Director Melanie Fontes Rainer

Another one pointing out that you must review all your vendors and 3rd party relationships to determine who is a BA.

“Within sixty (60) days of the Effective Date and annually following the Effective Date, GRBH shall review all relationships with vendors and third-party service providers to identify business associates.”

Critical to Stable Condition in 5 Years

[15:45] Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG), which 405d is a part of, has been working for the last 20 months to lay out its Health Industry Cybersecurity Strategic Plan (HIC-SP) for 2024-2029. The whole concept is about taking the health industry cybersecurity posture from critical condition to stable within 5 years. The plan emphasizes that protecting the health sector is a shared responsibility

Health Industry Cybersecurity – Strategic Plan (2024–2029)

This plan was a collaboration of HSCC and HHS and is forward looking and strategic. It asks the question: how can we move forward? How can we not only defend what’s happening today, but prepare for the future? And it should cover all industry sectors. This big report is designed for the C-suite executives, IT and security leaders to help them plan for moving forward. And the plan includes measurable outcomes across the multiple subsectors.

[20:51] From a leadership perspective, the guiding principles for this HIC-SP are:

  • Cyber Safety is Patient Safety – Patient safety is core, and cybersecurity is a critical element to enable patient safety;
  • Shared Responsibility – Cybersecurity objectives involve all interdependent healthcare and public health subsectors. Every organization should be able to “see themselves” and what actions they can take or influence to achieve one or more objectives of the strategic plan;
  • Symbiotic Security and Interoperability – Protection of sensitive data, trademarks, and intellectual property is symbiotic with the promotion of data sharing and interoperability to enable informed care delivery;
  • Mutually-enabling Privacy and Security – Cybersecurity supports data privacy and privacy requirements integrate with cybersecurity objectives;
  • Cybersecurity Business Enabler – Cybersecurity requirements should foster innovation and evolving healthcare business needs;
  • U.S-Framework Globally Adaptable – Cybersecurity strategic objectives should focus first on the U.S. healthcare and public health ecosystem and be adaptable to global healthcare cybersecurity and resilience imperatives; and
  • Culture of Cybersecurity – Cybersecurity goals constitute a lifetime wellness plan that should not be limited by tactical constraints of habit or myopia.

Those are the 7 guiding principles that the plan laid out. We need to keep all of these in mind as we’re putting together this 5 year plan. And then these are the 7 business technology, clinical, and policy trends that will characterize the evolution of the health sector over the next 5 years and beyond.

  1. Methods of care delivery will continue to shift and evolve
  2. Adoption of emerging and disruptive technologies will accelerate
  3. The business of healthcare will continue to change and adapt
  4. Acute Financial Distress will not abate
  5. Workforce recruitment and talent management will face competitive pressures from supply and demand pressures
  6. Governments will be challenged to develop coordinated and coherent policies for a rapidly evolving and complex health system
  7. Global instability, climate change and downstream effects will increase pressure on the healthcare supply chain

If you’re a business leader, you should be worried about all of these trends anyway.

[33:14] That brings us to the 10 cybersecurity goals to meet the challenges posed by those 7 industry trends.

That last one (#10) is the key to attaining all the others. We say it all the time, if it’s not a goal and a focus of leadership, it will not be something that becomes a goal and focus of the organization.

In order to accomplish the goals that address the trends using the guiding principles, HSCC lists 12 cybersecurity objectives:

  1. Develop, adopt and demand safety and resilience requirements for products and services offered, from business to business, as well as health systems to patients, with the concept of secure-by-design and secure-by-default
  2. Simplify access to resources and implementation approaches related to the adoption of controls and practices aligned with regulatory and sector standards for securing devices, services, and data
  3. Develop and adopt practical and uniform privacy standards to protect personal information and promote fair and ethical data practices while sharing the data in a consensual ecosystem
  4. Increase new partnerships with public/private entities on the front edge of evaluating and responding to emerging technology issues to enable safe, secure, and faster adoption of emerging technologies
  5. Enhance health sector senior leadership and board knowledge of cybersecurity and their accountability to create a culture of security within their organizations
  6. Increase utilization of cybersecurity practices / resources / capabilities by public health, physician practices and smaller health delivery organizations (e.g., rural health)
  7. Increase incentives, development and promotion of health care cybersecurity-focused education and certification programs
  8. Increase utilization of automation and emerging technologies like AI to drive efficiencies in cybersecurity processes
  9. Develop health sub-sector specific integrated cybersecurity profile aligned with regulatory requirements
  10. Develop meaningful cross-sector third-party risk management strategies for evaluating, monitoring, and responding to supply chain and third-party provider cybersecurity risks
  11. Increase meaningful and timely information sharing of cyber related disruptions to improve sector readiness
  12. Develop mechanisms to enable “mutual aid” support across sector stakeholders to allow for timely and effective response to cybersecurity incidents
One of the guiding principles of this Strategic Plan is that cybersecurity responsibility in the health sector is a shared responsibility. In that spirit, if the industry is to achieve the ambitious goals and objectives that will deliver us to the Targeted Future State that we envision, it will take the collective and collaborative efforts of all private sector and government stakeholders.

What is our target future state?

[49:59] The strategic plan points out that we were in critical condition back in 2017. Back in 2016 we started seeing hospitals being shut down due to ransomware and we weren’t really responding to the threat increases in 2017. And now ransomware is a regular thing. So, just like the financial sector established rules for managing credit card transactions (PCI DSS), we need a healthcare sector level strategic plan to manage cyber threats.

This HIC-SP is a 5 year plan to help take the healthcare sector to a stable condition regarding cybersecurity.

Go to top

Even though this five-year plan might sound like an audacious venture, our goal is simple: transition the healthcare sector from a critical condition to one that’s safe, stable, and prepared for future threats. The well-being of each patient relies not only on good healthcare, but on the assurance that their data and privacy are safeguarded—because, at the end of the day, cyber safety is patient safety.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Listener Survey

Special thanks to our sponsors Security First IT and Kardon.

Share 0
Tweet 0
Share 0

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: