Kusserow on Compliance: Cyber Security—21 Practical Safeguarding Tips

Cyber security is a growing compliance issue and has enormous implications for the health care sector. Cyber attacks have increased to dramatic levels over the last two year and are likely averaging one attack a day. Ransomware is one of the most disturbing trends in cyber attacks. One of the largest ransomware attacks, known as “WannaCry,” has hit countries around the world.  As with other cyber attacks, ransomware spreads through a phishing attack, which involves tricking email recipients into installing malicious software that encrypts the system causing the user to lose access to their documents. The user is then prompted to pay a ransom in order to have their system restored. For health care providers, there is not only concern about business, but the risks of breaches of Protected Health Information (PHI). OCR data indicates more than 41 million people have had their PHI compromised in HIPAA privacy and security breaches. Data further indicates a major increase in breaches resulting from “hackers” in 2016. According to new studies reported, health care now ranks as the second highest sector for data security incidents, after business services. The “2017 Internet Security Threat Report” found that in healthcare: (a) over half of emails contained spam; (b) one in 4,375 emails being a phishing attempt; and (c) email-borne ransom-ware has jumped to record levels.

Camella Boateng is a consultant expert in addressing HIPAA compliance and makes the point that all health care organizations should have a response plan ready, if and when it is needed. This will permit prompt action to mitigate the harm and damage of such a breach to systems, reputation, costs, and potential liabilities. On the other hand, not being prepared with a response plan will likely result in delays, mistakes, and aggravation of the problem. Considerations in developing the plan should include: (a) establishing roles and responsibilities for those who would respond to an incident; (b) outlining the methods to detect, report, and internally evaluate incidents; (c) laying out steps to be followed in containing and eliminating breaches; (d) determining the manner by which the response plan would be initiated operations restored; and (e) deciding what would be involved in developing, executing, and monitoring a post event remedial action plan. She advises that responsible program managers should be addressing this as part of their ongoing monitoring responsibilities. Compliance officers should verify this is being done and validate it is effective in meeting objectives. This can be done through ongoing auditing efforts that can be performed with internal resources or by engaging outside experts to do it.

21 Practical Safeguarding Tips

  1. Don’t assign responsibility for cyber security to someone at a low level in the organization
  2. Ensure software products are up to date with the most recent patches at all times
  3. Establish an aggressive patching schedule for all software
  4. Implement policies/procedures for precautions against malware
  5. Train employees to not click on email links/attachment, or respond to “phishing” inquiries
  6. Regularly test users to make sure they are on guard
  7. Configure email servers to block zip or other files that are likely to be malicious
  8. Restrict permissions to areas of the network on a database access need
  9. Access to systems should be granted on a need to know standard
  10. Limit employee access to files on a single server, so if infected, it won’t spread to everyone
  11. Security efforts should focus on those files that are most critical, patient records
  12. Conduct a risk analysis to identify ePHI vulnerabilities and ways to mitigate them
  13. Maintain frequent data backups to permit restoring of lost data in case of an attack
  14. Regularly take full snapshots of your data and store them offline
  15. Monitor email carefully and do not open email attachments from unknown parties
  16. Conduct regular systems tests to help flag vulnerabilities before a hacker can gain access
  17. Develop a business continuity plan to prevent down time
  18. Maintain disaster recovery and emergency operation plan
  19. Regular systems tests can also help flag vulnerabilities before a hacker can get in
  20. On any report of an attack, prevent spreading by disconnecting infected systems from a network; disable Wi-Fi, and remove USB sticks or connected external hard drives
  21. Establish real-time data backups to permit work to continue


Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.


Hackers to focus on hospitals in 2017

Hackers will target the health care sector above all others in 2017, with their focus shifting from insurers to hospitals, predicts Experian® Data Breach Resolution. The company’s fourth annual Data Breach Industry Forecast also indicates that ransomware will be an increased threat to hospitals. It suggests that “nation-state” cyberattacks will increase, with at least one significant incident in 2017, and that passwords will be phased out in favor of two-factor authentication.

Hospital focus

In 2015, four of the six data breaches reported to the HHS Office for Civil Rights (OCR) affecting more than one million individuals targeted health care insurance companies.  As a result, Michael Bruemmer, vice president of Experian Data Breach Resolution, noted that many insurers “doubled down on defenses.” Protected health information (PHI) remains a lucrative source of data for hackers, but the report suggests that hackers will seek this information from hospitals, in lieu of insurers, in 2017. Bruemmer noted that hospitals “tend to be more decentralized, making their cybersecurity defenses easier to penetrate.” Electronic health records (EHRs), in particular, are targeted because they are accessible by various entities and individuals. The report predicts that ransomware–which encrypts data, effectively preventing providers from using data unless they pay a ransom–will increase, and may shift from simply locking systems in exchange for money to actually stealing data. At any rate, recent OCR guidance on ransomware makes it likely to be a more publicized topic in 2017 (see Data for ransom: OCR offers ransomware guidance).

Nation-state attacks

The report also anticipates an escalation in cyberattacks between nation-states in 2017, noting that both U.S. presidential candidates discussed the issue in 2016. Although Bruemmer noted in December that the incoming Trump administration’s cyberweapons policy is unclear, he anticipates “a publicly observable action in the near future” and thus recommends that the administration “shor[e] up its defense mechanisms and identify[ ] vulnerabilities.”  Amidst heated discussions on both sides regarding Russia’s alleged interference with the recent U.S. presidential election, President-elect Trump appointed Thomas P. Bossert as Assistant to the President for Homeland Security and Counterterrorism. Bossert indicated, “We must work toward cyber doctrine that reflects the wisdom of free markets, private competition and the important but limited role of government,” and noted, “The internet is a U.S. invention,” that should reflect the nation’s values “as it continues to transform the future for all nations and all generations.”  The president-elect, recently reflecting on cybersecurity, noted “no computer is safe.”

Death of the password?

The report also predicts that individual passwords will be phased out, in all industries, in favor of two-factor authentication, which requires secondary authentication to allow access to systems and networks.  It lists tokens, geo location confirmation, and biometrics as examples of secondary authentication. Individuals’ use of the same passwords for various accounts can lead to “aftershock” breaches, which occur when a password compromised in one breach is used to break into another network in the future.  Experian Data Breach Resolution suggests that health care organizations will be forced to use two-factor authentication to protect against aftershocks.

Kusserow on Compliance: GAO lambasts HHS/OCR failure to protect EHR security

The General Accountability Office (GAO) reported a 13-fold increase in reported cyber-attacks on federal government agencies between 2006 and 2015 that rose to more than 77,000 last year. They attributed this increase to failures on HHS and Office for Civil Rights (OCR) that has primary responsibility for setting standards for protecting Electronic Health Records (EHR) and for enforcing compliance with these standards, but have failed to address what is called for by other federal cyber-security guidance under the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) for health plans and care providers. GAO reported that over 113 million health records were breached in 2015 alone, which represents more than half the U.S. population has had their medical records breached. Of those, just 221 breaches or 13.3%, were attributed to some form of a hacking incident, but many of those hacks were whoppers, contributing to 126 million records, or 75%, of those records exposed. These breaches can have serious adverse impacts such as identity theft, fraud, and disruption of health care services

Although EHR permits providers to more efficiently share information and give patients easier access to their health information, it must be protected. However this system for storing and transmitting this information in electronic form continues to be vulnerable to cyber-based threats. GAO cited the following examples of failures:

  • Failure to address how covered entities should tailor their implementations of key security controls identified by the National Institute of Standards and Technology to their specific needs, such as developing risk responses.
  • Covered entities and business associates must comply with HHS requirements for risk assessment and management, but without more comprehensive guidance, they may not be adequately protecting electronic health information from compromise.
  • Although HHS has established an oversight program for compliance with privacy and security regulations, they have not always fully verified that the regulations were implemented.
  • OCR has failed to establish benchmarks to assess the effectiveness of its audit program, which result in less assurance that loss or misuse of health information is being adequately addressed.
  • For OCR’s investigations, the technical assistance they provided was not pertinent to identified problems, and in other cases it did not always follow up to ensure that agreed-upon corrective actions were taken once investigative cases were closed.

GAO made five recommendations, including that HHS update its guidance for protecting electronic health information to address key security elements, improve technical assistance it provides to covered entities, follow up on corrective actions, and establish metrics for gauging the effectiveness of its audit program. HHS generally concurred with the recommendations and stated it would take actions to implement them.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2016 Strategic Management Services, LLC. Published with permission.