.st0{fill:#FFFFFF;}

Podcast

Cyber resiliency landscape – Ep 407 

 May 19, 2023

By  Donna Grindle

Share0
Tweet0
Share0

We talk a lot about understanding the current cyber threats and risks involved in not remaining vigilant in protecting against them. Today, we review the Hospital Cyber Resiliency Initiative Landscape Analysis, recently released by 405d. It provides stats and case studies from the real world. It also gives us areas we need to work on and where we need to put our investment of time and money to protect against these threats.

A 5 star review is all we ask from our listeners.
1x
Apple PodcastsGoogle PodcastPlayer EmbedShare Review Us on Apple PodcastsListen in a New WindowDownloadSoundCloudStitcherSubscribe on AndroidSubscribe via RSSSpotify
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

Cyber resiliency landscape – Ep 407

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

Thanks to our donors.

HIPAA Say What!?!

[04:19] David Mente, MA, LPC, licensed counselor providing psychotherapy services in Pittsburgh, PA, settled with OCR on another right of access case. Here is another case dealing with mental health providers. We often find that they believe they don’t have to provide access to records at all. The only exception is they are not required to supply their psychotherapy notes to patients.

This one had a much larger payment requirement than most of these cases involving a single practitioner. $15,000 is not something most people can just stroke a check and never think about it again. Not sure what the difference is here. The 2 year CAP looks pretty normal for these cases.

The dates the documents were signed shows this one has been hanging around a bit before they announced it. Mente signed the agreement 12/29/2022 but it was countersigned by OCR on 01/05/2023. The initial requirements of the CAP should have been met by now. Maybe they were holding it to make sure the records were sent and the initial requirements completed. Who knows.

This is the 44th settlement OCR has announced for patient right of access violations. Just as the case in many of the others, they got a complaint, contacted the provider and explained this is what you are supposed to do. Then, they get another complaint that launches the official investigation.

Cyber resiliency landscape

[11:29]
In anticipation of forthcoming policy discussions, we felt it was necessary to better understand the current state of sector cybersecurity. As a starting point, HHS partnered with the Health Sector Coordinating Council (HSCC) to conduct a Landscape Analysis of a common attack point for cyber criminals, United States (US) hospitals. In light of the acuity of the patient population, cyber attacks at hospitals can be particularly consequential to patient safety. Through this Landscape Analysis we sought to better identify the biggest threats facing hospitals and assess their cybersecurity capabilities relative to commonly accepted cybersecurity practices.<span class="su-quote-cite"><a href="https://405d.hhs.gov/Documents/405d-hospital-resiliency-analysis.pdf" target="_blank">Andrea Palm Deputy Secretary of Health and Human Services</a></span>

So, that is the reason they wanted this analysis done. To get it done, they went to the team that is involved in addressing these topics every single day.

In response to this growing threat to patient safety and public health, the HHS 405(d) Program convened its public-private partnership to conduct a review to better understand the state of cybersecurity within U.S. hospitals, deemed the “Landscape Analysis”. The Landscape Analysis included a review of active threats attacking hospitals and the cybersecurity capabilities of U.S. hospitals. Included within the Landscape Analysis are the results of investigations into 1) the tactics and techniques that threat actors use to compromise hospitals and 2) the current state of participating hospital cybersecurity resiliency (using the Health Industry Cybersecurity Practices (HICP) as a framework).<span class="su-quote-cite"><a href="https://405d.hhs.gov/Documents/405d-hospital-resiliency-analysis.pdf" target="_blank">Introduction</a></span>

The team that put together this report used a combination of data sources including two major surveys, threat data from vendors as well as over 30 joint reports by CISA, HC3 and many more. Finally they added in 20 interviews with geographically and demographically diverse hospitals. The findings themselves aren’t a shock to those of us doing the work. What I liked about the finished report was how it picked specific recommendations within HICP that need to be implemented or improved to better protect the industry.

Specific quotes of note from the report:

  • The FBI and DOJ are now treating the patient and public safety risk that cyber-attacks are posing on hospitals as “threat to life” crimes.
  • 96% of hospitals claim they were operating with end-of-life operating systems or software with known vulnerabilities, which is inclusive of medical devices.

“Attacks are faster, smarter, and more organized. Examples of these attributes are described below:

  1. Elapsed time to exploit is decreasing.
  2. Expansion of Phishing-as-a-service.
  3. Increase in “Access Broker” services. “

Observations Noted

[25:50]
  1. Directly targeted ransomware attacks aimed to disrupt clinical operations are an outsized and growing cyber threat to hospitals.
  2. Variable adoption of critical security features and processes, coupled with a continually evolving threat landscape can expose hospitals to more cyber-attacks.
    • Multi-Factor Authentication (MFA)
    • Vulnerability Assessments
    • Training & Outreach
    • Hospital-at-Home
  3. Hospitals report measurable success in implementing email protections, which is a key attack vector.
  4. Supply chain risk is pervasive for hospitals.
  5. Medical devices have not typically been exploited to disrupt clinical operations in hospitals.
  6. There is significant variation in cybersecurity resiliency among hospitals.
  7. The use of antiquated hardware, systems, and software by hospitals is concerning.
  8. Cybersecurity insurance premiums continue to rise.
  9. Securing cyber talent with requisite skills and experience is challenging.
  10. Adopting HICP improves cyber resiliency.
[34:08] Then, they break down the HICP 10 practices into four categories. This makes it pretty clear as to where our priorities should be.

The detailed discussions in the document warrant further review by anyone remotely involved in managing cybersecurity in healthcare, not just within hospitals.

Go to top

If you’re still doing the same things you were doing even a year ago, you’re way behind. We highly recommend you download and review the Hospital Cyber Resiliency Initiative Landscape Analysis. It has stats, numbers, real world examples and very specific details on the evaluations and recommendations.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Listener Survey

Special thanks to our sponsors Security First IT and Kardon.

Share 0
Tweet 0
Share 0

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: