Enforcement Evolves | Mac McMillan, co-founder and CEO of CynergisTek, Inc. | Healthcare Blogs Skip to content Skip to navigation

Enforcement Evolves

May 12, 2017
by Mac McMillan, co-founder and CEO of CynergisTek, Inc.
| Reprints
An infrastructure is being built to protect and keep confidential patient information

Several major security vendors just released their latest analysis of threat activity and their findings portend a busy time for IT and security teams in healthcare. Almost all indicators of threat activity from malware to targeted hacking are up.

In the last month we witnessed another health system, Eerie County Medical Center (ECMC), in Buffalo, NY, fall victim to a serious cyber attack that disrupted critical systems and communications.  While they haven’t communicated it yet, the expectation is that this yet another massive ransomware malware or zero day virus attack that has proven so effective in healthcare over the last 24 months. ECMC has been praised for their quick response, and they reportedly have received assistance from other healthcare organizations near them, a testament to the industry, that has help to mitigate the impact of the attack. But their situation has lasted for two weeks and is not yet over with; a distraction that no hospital system would want.

Many healthcare organizations have taken steps to improve their cyber defenses and increased the budgets for security technology and services.  And healthcare as a whole is not any more or less prepared for these types of attacks. The problem is that healthcare is unfortunately in the sweet spot for these attacks. As an industry, healthcare has considerable amounts of valuable information making it a lucrative target. It also relies heavily on that information for what it does, and taking that information away or the systems that deliver it can create serious outcomes to patient safety and care, not just disruption of operations, or loss of revenue. As a result healthcare is the perfect target for the cyber criminal.

Mac McMillan

Interestingly, at the same time we see this cyber offensive continuing to escalate, we also are seeing a very serious and active response by the Office for Civil Rights (OCR) with respect to its compliance review and breach investigation activity, and as a result, a higher number of resolutions thus far in 2017. If they maintain their current level of activity we could see four times the number of resolutions as we saw last year, which was touted as a record year.  As of this last week there have been seven resolution agreements totaling $14.3 million.

According to OCR Director Roger Severino and members of his staff who have spoken publicly at various events, or have been interviewed, enforcement of the HIPAA security and privacy rules is a priority for the division.  Common themes in those resolution agreements included lack of or inadequate risk assessment, inadequate access controls, missing or dated policies, lack of documentation of risk measures or remediations, inadequate privacy monitoring activities, lack of training and missing or dated business associate agreements. You are probably thinking nothing you, and you’re right. The question is why are we continuing to commit these mistakes or lapses of judgement?  OCR might be wondering this same thing, which might explain what amounts to the next evolution in their compliance review activity.

For months now we have been telling healthcare organizations we work with and who attend our educational seminars that they need to pay attention to all their breach activity, not just the big ones, and that they need to build their own breach database and analyze that data for trends. We have been doing this because OCR has been on a path to improve its own ability to do just that, building the infrastructure and databases needed for its regulators to analyze an entity’s whole breach activity, not just the current one.

We have also advised organizations to report breaches, no matter their size, right away as opposed to waiting till the end of the year and aggregating the small ones. It seems we have arrived. OCR has recently issued compliance reviews based on the aggregated reporting of small breaches across a calendar year. It should be noted that this review is not trivial in that OCR has requested numerous documents and questions be answered for each individual breach reported for that year. Also this review, consistent with current practice, is fairly broad in its request for information and seeks to answer whether the organization had sufficient compliance.

What’s notable here is that this is the first time we seen OCR take this approach to a compliance review. It demonstrates that they now have the resources and organization of information to support this type of review.  It also demonstrates a more systemic review of compliance. Enforcement is evolving and stepping up to meet what OCR clearly believes is a serious fight—to protect and keep confidential patient information.

The Health IT Summits gather 250+ healthcare leaders in cities across the U.S. to present important new insights, collaborate on ideas, and to have a little fun - Find a Summit Near You!


/blogs/rajiv-leventhal/cybersecurity/enforcement-evolves
/news-item/cybersecurity/health-first-data-breach-exposes-information-42k-patients

Health First Data Breach Exposes Information of 42K Patients

November 15, 2018
by Rajiv Leventhal, Managing Editor
| Reprints

A data breach at Florida-based Health First exposed the personal information of some 42,000 patients, according to various industry media reports this week.

The website DataBreaches.net reported that in early October, the healthcare provider Health First notified the Department of Health & Human Services (HHS) of a breach that affected 42,000 patients.  The breach actually occurred earlier in the year, however, between February and May 2018, according to the report, which received a statement from the organization’s senior vice president, consumer and retail services.

The Health First executive noted that “a small number of our employees were the victims of a phishing scam which compromised some of our customers’ information. The criminals were able to gain access of these employees’ email accounts for a limited period of time.”

Health First officials also told Florida Today this week that the data breach “was fairly low-level, though it could have included some customers' Social Security numbers. Mostly it appears to have involved information such as addresses and birth dates. No medical information was compromised,” according to this report.

Phishing attacks continue to plague the healthcare industry; the single largest breach this year was a hacking incident affecting 1.4 million patient records that involved UnityPoint Health, an Iowa-based health system. That said, cybersecurity professionals are still looking for more advanced ways to get out in front of these attacks, as healthcare has traditionally lagged behind other industries in in phishing resiliency.

More From Healthcare Informatics

/webinar/components-strong-cybersecurity-program-closer-look-endpoint-security-best-practices

Components of Strong Cybersecurity Program - A Closer Look at Endpoint Security Best Practices

Tuesday, December 18, 2018 | 1:00 p.m. ET, 12:00 p.m. CT

Endpoint protection remains a core security challenge for many healthcare organizations and it is more important than ever for healthcare organizations to actively manage their full range of endpoints.

Attend this session to learn why it's more important than ever for healthcare organizations to actively manage their full range of endpoints, endpoint security best practices, and how your endpoint management strategy may need to evolve over time.

Related Insights For: Cybersecurity

/news-item/cybersecurity/44m-patient-records-breached-q3-2018-protenus-finds

4.4M Patient Records Breached in Q3 2018, Protenus Finds

November 7, 2018
by Rajiv Leventhal, Managing Editor
| Reprints

There were 117 disclosed health data breaches in the third quarter of 2018, leading to 4.4 million patient records breached, according to the Q3 Protenus Breach Barometer report.

Published by Protenus, a cybersecurity software company that issues a Breach Barometer report each month, the most recent data shows that although the number of incidents disclosed in Q3 decreased somewhat from Q2, the number of breached records increased from Q2 to Q3. Also, the number of affected patient records has continued to climb each quarter in 2018—from 1.13 million in Q1 to 3.14 million in Q2 to 4.4 million in Q3.

In Q3, the report noted that the single largest breach was a hacking incident affecting 1.4 million patient records that involved UnityPoint Health, an Iowa-based health system. Hackers used phishing techniques, “official-looking emails”, to gain access to the organization’s email system and capture employees’ passwords. This new incident follows one that took place at the same organization in April when 16,400 patient records were breached as a result of another phishing attack.

For incidents disclosed to HHS (the Department of Health & Human Services) or the media, insiders were responsible for 23 percent of the total number of breaches in Q3 2018 (27 incidents). Details were disclosed for 21 of those incidents, affecting 680,117 patient records (15 percent of total breached patient records). For this analysis, insider incidents are characterized as either insider-error or insider-wrongdoing. The former includes accidents and other incidents without malicious intent that could be considered “human error.” 

There were 19 publicly disclosed incidents that involved insider-error between July and September 2018. Details were disclosed for 16 of these incidents, affecting 389,428 patient records. In contrast, eight incidents involved insider-wrongdoing, with data disclosed for five of these incidents.

Notably, when comparing each quarter in 2018, there has been a drastic increase in the number of breached patient records as a result of insider-wrongdoing. In Q1 2018, there were about 4,600 affected patient records, in Q2 2018 there were just over 70,000 affected patient records, and in Q3 there were more than 290,000 affected patient records tied to insider-wrongdoing.

What’s more, the report found that hacking continues to threaten healthcare organizations, with another increase in incidents and affected patient records in the third quarter of 2018. Between July and September, there were 60 hacking incidents—51 percent of all Q3 2018 publicly disclosed incidents. Details were disclosed for 52 of those incidents, which affected almost 3.7 million patient records. Eight of those reported incidents specifically mentioned ransomware or malware, ten incidents mentioned a phishing attack, and two incidents mentioned another form of ransomware or extortion. However, it’s important to note that the number of hacking incidents and affected patient records have dropped considerably when comparing each month between July and September 2018.

Meanwhile, of the 117 health data breaches for which data was disclosed, it took an average of 402 days to discover a breach from when the breach occurred. The median discovery time was 51 days, and the longest incident to be discovered in Q3 2018 was due to insider-wrongdoing at a Virginia-based healthcare organization. This specific incident occurred when an employee accessed thousands of medical records over the course of their 15-year employment.

See more on Cybersecurity

betebettipobetngsbahis bahis siteleringsbahis