.st0{fill:#FFFFFF;}

Podcast

Where do we go from here? – Ep 413 

 June 30, 2023

By  Donna Grindle

Share0
Tweet0
Share0

Healthcare cybersecurity is no walk in the park! Today, we explore the release of the “Health Industry Cybersecurity Recommendations for Government Policy and Programs” by HSCC. It provides suggestions and ideas on how government policy and programs can support the health sector in beefing up their cybersecurity defenses to help keep our health systems safe from cyber threats.

A 5 star review is all we ask from our listeners.
1x
Apple PodcastsGoogle PodcastPlayer EmbedShare Review Us on Apple PodcastsListen in a New WindowDownloadSoundCloudStitcherSubscribe on AndroidSubscribe via RSSSpotify
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

Where do we go from here? – Ep 413

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

Thanks to our donors.

HIPAA Say What!?!

[03:41]

Snooping in Medical Records by Hospital Security Guards Leads to $240,000 HIPAA Settlement | HHS.gov

Yakima Valley Memorial Hospital Resolution Agreement and Corrective Action Plan | HHS.gov

OCR investigated allegations that several security guards from Yakima Valley Memorial Hospital impermissibly accessed the medical records of 419 individuals.
To voluntarily resolve this matter, Yakima Valley Memorial Hospital agreed to pay $240,000 and implement a plan to update its policies and procedures to safeguard protected health information and train its workforce members to prevent this type of snooping behavior in the future.
Data breaches caused by current and former workforce members impermissibly accessing patient records are a recurring issue across the healthcare industry. Health care organizations must ensure that workforce members can only access the patient information needed to do their jobs. HIPAA covered entities must have robust policies and procedures in place to ensure patient health information is protected from identity theft and fraud.

OCR Director, Melanie Fontes Rainer

In May 2018, OCR initiated an investigation of Yakima Valley Memorial Hospital following the receipt of a breach notification report, stating that 23 security guards working in the hospital’s emergency department used their login credentials to access patient medical records…
As a result of the settlement agreement, Yakima Valley Memorial Hospital will be monitored for two years by OCR to ensure compliance with the HIPAA Security Rule. Yakima Valley Memorial Hospital has agreed to take the following steps to bring their organization into compliance with the HIPAA Rules:

  • Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic protected health information;
  • Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities identified in the risk analysis;
  • Develop, maintain, and revise, as necessary, its written HIPAA policies and procedures;
  • Enhance its existing HIPAA and Security Training Program to provide workforce training on the updated HIPAA policies and procedures;
  • Review all relationships with vendors and third-party service providers to identify business associates and obtain business associate agreements with business associates if not already in place.

Where do we go from here?

[19:21]

An Illinois hospital is the first health care facility to link its closing to a ransomware attack

With the news of closings like this hospital and others who struggle to survive still today, we have to reflect on the landscape report we just reviewed a few episodes ago. The report focused on hospitals, which we do not claim to have the same depth of knowledge as we do the rest of the sector. However, this hospital closure impacts all the other health sector entities tied to it. This is exactly why we worry about the impacts of a single cyber attack on the entire community.

HSCC published a document of recommendations in April based on the findings of the analysis and input from plenty of stakeholders.

Health Industry Cybersecurity Recommendations for Government Policy and Programs – April 2023

And the massive and increasing complexity of today’s connected healthcare ecosystem gives rise to its own risks: of unanticipated and poorly understood interdependencies; of unknown inherited security weaknesses; of overreliance on vendor solutions; of systems that fail to adequately account for human factors related to cybersecurity controls; and of inconsistencies between software and equipment lifecycles, among others. As a result, we are adopting new technologies faster than we are updating security practices, therefore creating a growing gap between slowly developing security posture and rapidly evolving security threats.
Ensuring that a hospital or clinician’s office is “cybersecure” alone is no longer sufficient; modern care delivery requires that all disparate pieces of the evolving healthcare ecosystem be considered, and appropriately secured as well.

This imperative is addressed through both cybersecurity regulation and policy, and voluntary practices implemented across the healthcare ecosystem. It is clear that, given the increasing number and techniques of cyber incidents inflicted on the health system, neither voluntary practices nor government policy have been sufficient to reduce cyber risk and incidents across the sector.

The Health Sector Coordinating Council Cybersecurity Working Group assesses that enhanced governmental programs and policy could offset the cost of existing cybersecurity regulatory requirements with a coordinated and coherent approach to the reduction of cybersecurity risk in the health sector. Particular attention should be paid to smaller health institutions that remain vulnerable targets but do not have the resources or expertise to comply with existing or proposed cybersecurity regulations, or to implement voluntary practices to shore up up their cyber defenses, because of increasing financial, workforce and compliance costs associated with clinical priorities.

…..by focusing more on the “what” than the “how”, they are meant to stimulate discussion and creativity within government and with industry around possible initiatives the government can develop.
If implemented under existing or new statutory authorities, these concepts could help reduce risk across the sector through incentive- or grant-based financial assistance and operational support, particularly to under-resourced health systems, including small practice, critical access, safety net and rural emergency hospitals.
[37:27] The recommendations cover 5 categories:

  1. Preparedness Support and Information Sharing
  2. Financial Support and Incentives
  3. Incident Response and Recovery
  4. Workforce
  5. Regulatory Reform

We are going to run through some of the points that got our attention in each of those categories.

Preparedness Support and Information Sharing

HHS should fund a national marketing and outreach campaign to the health provider community about the imperative of cyber security as a patient safety issue.

They mention the use of the resources published on the 405d website and the HSCC, Health-ISAC and HSCC as additional resources to coordinate together in an outreach campaign. Yes we have to increase awareness of what is available and continue to educate.

Boost funding for HHS Health Sector Cyber Coordination Center (HC3) to be a primary knowledge sharing and analysis resource within HHS to support healthcare cybersecurity in coordination with CISA. Congress should make HC3 an appropriated line item.

This would be very helpful to allocate resources specifically for collecting and evaluating impacts specifically around the health sector and coordinate with CISA.

So many assume that this sector is just like all the others. Having been in this for so long and talked to so many who join the sector after being in others, I assure you that there are deep rooted differences that you do not notice until you look under the hood.

There are so many fingers in the pie and so many moving parts to coordinate along the way just to meet the requirements for patient care. It is broad and deep. Data rich and cyber poor too. A filter is very necessary to organize all of the different threats in ways that apply to the environment.

Assign an office within HHS, (similar to a “Bureau of Census” for healthcare cybersecurity) in partnership with industry, to develop a program to measure cybersecurity performance in the health provider sector.

Favorite idea here! Until the conversations are raised regularly to leadership in all organizations we know we will never get the attention and funding needed until things fall apart. That goes for HHS just like any other. We would love to gather more data on the performance of the sectors dealing with cyber security. Just like anything else without funding no data will be found.

For legislative consideration: In the reauthorization Pandemic and All HazardsPreparedness Act (PAHPA).

Very interesting approach here to help deal with supporting the organizations when they are attacked. This is a community crisis as we have started to document well. One case in OKC with the allergy clinic’s impact on other clinics in the area. We have confirmed stats that show one hospital impacted by an attack may contain the blast radius of the cyber attack within their organization. However, the residual fallout from that blast hits all the surrounding systems to catch the overflow created.

This calls for being able to activate FEMA and other government support services to help. PLUS, funding agencies to actually help enhance the resilience of organizations. We discuss all of the time the need to have detailed response and recovery plans.

It also calls for funding responses including human, technical and financial support to the victim orgs in high impact attacks.

There’s a lot of discussion about approaches to cyber insurance. That is a whole other mess

Financial Support and Incentives

[44:39]
CMS reimbursement incentives.

This has to be part of the mix somewhere but not sure how.

Funding support and/or technical assistance for critical access, safety net and rural emergency hospitals to remediate urgent vulnerabilities or mitigate threats.

This would be a big help when some new zero day or actively attacked vulnerabilities require a lot of time, people and/or tools to mitigate as quickly as needed.

Incident Response and Recovery

[47:42]
When responding to an incident, timely and actionable government sharing of cyber threat and incident information is frequently inadequate for private sector needs.

We know well how complicated it can be to meet all the requirements of checks and balances to publish anything from government resources. The suggestions here are trying to find a way we can speed it up with involvement of designated.

Dealing with cyber coverage issues and the pricing explosion for that coverage from private carriers is definitely touched on by several points in this section too.

Workforce

[52:56]
HHS can administer a healthcare cybersecurity workforce development and cyber training program with assistance from NIST, CISA, and/or Veterans Administration. A program could include access to free cyber training, assistance to providers under an expanded Regional Extension Centers program, and student loan forgiveness programs modeled after physician loan forgiveness programs, or the National Science Foundation’s CyberCorps(R) Scholarship for Service (SFS) program. This program provides a full scholarship plus stipend for undergraduate and master’s degrees in cybersecurity and requires two years of government service.

Consider authorizing a funded, subsidized “civilian cyber health corp”. This could take the form of loan forgiveness; i.e. a Federal program pays / helps pay for a cyber education in exchange for a minimum number of years served, modeled after a uniformed health corp.

There are some other ideas in the section too. Definitely need to encourage going into these fields but so many people see cyber security jobs as just technical nerds should apply. They are so far from the reality of the situation. Just like everything else we need to educate people to get cyber security education and encourage others to seek out cyber security careers.

Regulatory Reform

[56:53]
A holistic, coherent cyber policy strategy is essential for a healthcare environment where clinical operations, medical devices, electronic health record technology, patient data, and IT systems are all interconnected but subject to differing regulatory structures and authorities.

This brings us back to where we started. The healthcare environment is very interconnected yet subject to all these different rules and regulations based on the structure of the organizations and where they are located.

The last one in the section – great idea but I have no idea how it could be done.

Go to top

As we have said for years – there is no doubt we are and have been under attack in healthcare. Also, we have so many areas where the gaps are very wide, making it so hard to solve the problems that could mitigate the damages we see. We have to make a plan going forward with some new approaches because what we have been doing is clearly not working. However, we also need to address why those things haven’t worked in order to prevent more efforts that only gain inroads a little at a time.

One key reason we are where we are, IMHO, is the original security rule implementation had zero enforcement. No incentives to get things in order. Had we done that back then we would definitely have a whole different landscape today. Unless the business is forced to invest or seriously incentivised to invest it really doesn’t seem to work no matter how many ideas are in place.

These suggestions may work well in larger organizations which we absolutely need. However, the smaller entities have even more limitations on resources and are spread even thinner than the larger ones. Rural ones without access to talent are only exacerbating the problems they face. We may need to take a whole different approach for those entities with their own subset of resources and tools.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Listener Survey

Special thanks to our sponsors Security First IT and Kardon.

Share 0
Tweet 0
Share 0

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: