Cybersecurity

The Enemy Within - "Homegrown" HIPAA vulnerabilities

Just yesterday I briefly discussed the electronic vulnerabilities facing hospitals and health practitioners. Much of that note focused on hackers attacking the systems and holding them for ransom.  It is a major problem confronting the healthcare sector, and will continue to be for long to come.

Other threats linger, and this week we learned about one of the potential hazards we must guard against – the hazard that we hire bring to the table ourselves. In short, we can be our own worst enemies.  Such is the case at the University of Mississippi Medical Center and the Oregon Health & Science University.

At the University of Mississippi Medical Center (UMMC), staff allowed a party to “borrow” a hospital laptop while in the ICU. The borrowed laptop was not returned. While that fact is curious enough, this is when it gets really interesting.

The Mississippi hospital had secured its network, but on the laptop there was patient data that was protected with only the minimum “generic” of security safeguards. Apparently, no access tracking software was in place.

One wonders if the laptop itself had location software in place.  In other words, the equivalent of the “find my phone” application we all use (I know I do) to locate phones and tablets may not have been there.  Most of these tracking applications allow a user to wipe all data from a lost device – quite handy in the event a piece of hardware is lost. 

The folks at UMMC compounded the issue when they failed to notify patients’ whose data was breached of the potential exposure. We must ask – if they had no access tracking software in place, how do they know whose data was purloined and whose was not?

The OCR summarized UMMC's failures in its press release:

  • implement its policies and procedures to prevent, detect, contain, and correct security violations;
  • implement physical safeguards for all workstations that access ePHI to restrict access to authorized users;
  • assign a unique user name and/or number for identifying and tracking user identity in information systems containing ePHI; and
  • notify each individual whose unsecured ePHI was reasonably believed to have been accessed, acquired, used, or disclosed as a result of the breach.

The UMMC settled with the HHS Office of Civil Rights, paying a penalty of $2.75M while not admitting any liability.  UMMC is working to overhaul its security standards as well.  Read the entire HHS OCR press release here   You can read the actual text of the settlement here.  

Oregon Health & Science University also felt the ire of the HHS OCR, paying a similar fine for breaches involving unsecured laptops and stolen USB thumb drives.  While OHSU self-reported, the OCR lamented OHSU's failure to respond appropriately to these breaches. 

This settlement underscores the importance of leadership engagement and why it is so critical for the C-suite to take HIPAA compliance seriously.
— HHS OCR Director Jocelyn Samuels, discussing the OHSU settlement

The Oregon facility paid a fine of $2.7M and entered a three-year corrective action plan. Read the HHS OCR's press release here, and you can read the settlement text here.

These two actions underscore the aggressive stance of the OCR in the face of ever more common data breaches. They also demonstrate how we are often our own worst enemies.

And CEOs, Risk Managers, Compliance Officers, and IT professionals - please take these compliance matters seriously.  

For more on how to deal with these issues, contact the Spiers Group today. 

The Unintended Consequence of Your EHR

A secret agent slips into an office under the cover of night. Evading cleaning crews and the impressive security precautions, she identifies her target.  She cleverly hides her trap, then slips out the way she came. No one is the wiser until she triggers the trap later that week.

The stuff of Hollywood? No, the world of healthcare cyber espionage. The world that destroyed Iranian centrifuges with a piece of software surreptitiously slipped onto their network. The world where a seemingly innocuous email, or clinical photograph shared between colleagues, or even an email about an upcoming Continuing Medical Education event could harbor a tiny bit of code that will burrow its way into your electronic health record.

That is right – the electronic health record you are required to have leaves you open to cyber predators.  An article in Politico makes me ask "Aren’t you glad we have modernized?"  Today hospitals and medical practices loom as ripe targets for the same measures that governments use against each other, and that hackers use for their own enrichment.  And here is the scary bit of the equation – is your security as good as that of the Defense Department? The State Department? A major defense think tank?

I am just going to hazard a guess that the answer is no.

Cyber-attacks on medical facilities are increasing in frequency, and are ever more audacious.  The anonymity of the internet makes it possible for an attack to go unnoticed until the attacker wants it known. Often, records are mined for data, which can be sold on the black market. Believe it or not, health records often are sold on the dark net for more than are simple social security numbers. This is but one means of income for these offenders.

Even more audacious, and perhaps more devastating, are those attacks that threaten medical record systems through the use of ransom ware. Hackers shut down a medical record system, then the real payday comes for them.  “Pay us a certain amount of untraceable bitcoins by a certain date or we will erase your medical record. ALL OF THEM.” 

But you have backups. “I can just restore my backup, and the ransom ware will be gone, right?” Well, that might work, but chances are you don't have a back up from last year. Or the year before. And even of you did, you are losing years of data. The folks who use ransom ware are patient. They may wait months or years to trigger the code that will hold your previous records hostage. So that backup from last week? Infected. Last month? The same. Last year? Maybe.

This dark world is treacherous. There is no quick fix. And what is frustrating for so many is that we are forced by regulation into the very arena where we are most susceptible. EHRs are here to stay. And let us not forget all of the gadgets at work in our hospitals that are potential vulnerable to an attack.

The list of medical cyber susceptibilities does not begin nor does it end with electronic medical records. Ventilators, IV medication pumps, radiology equipment, and even implantable devices are all vulnerable to a cyber-attack. Ransoming a record could be devastating, but once in control of these other devices, the nefarious could ratchet up the stakes – “pay up or we kill someone…”

So how do we address this challenge? Some hospitals have already been attacked, and some admit paying the demanded ransom.  Of course, there may be little to protect against the hackers from taking a second bite at the apple, locking down the system ad demanding more money. We as a community are just not sure.

It is certain that the authorities and various regulators, from the DOJ to HHS, as well as segments of the cyber security industry are working to address the issue.  In an ironic twist, some have recognized that a good old-fashioned paper copy of their records is the best insurance they have.

Small practices should not stand idly by thinking this is a problem of scale. No one is too little. Indeed, the smaller the practice, arguably the more susceptible they are to an attack.

If you have an electronic health record, even if part of a closed system, you are vulnerable. 

Here you can read the HHS fact sheet regarding Ransomware. I suggest you download this and review its contents on a regular basis. 

Contact the Spiers Group to discuss measures you can take to protect yourself – or recover from an attack.