Kusserow on Compliance: Cyber Security—21 Practical Safeguarding Tips

Cyber security is a growing compliance issue and has enormous implications for the health care sector. Cyber attacks have increased to dramatic levels over the last two year and are likely averaging one attack a day. Ransomware is one of the most disturbing trends in cyber attacks. One of the largest ransomware attacks, known as “WannaCry,” has hit countries around the world.  As with other cyber attacks, ransomware spreads through a phishing attack, which involves tricking email recipients into installing malicious software that encrypts the system causing the user to lose access to their documents. The user is then prompted to pay a ransom in order to have their system restored. For health care providers, there is not only concern about business, but the risks of breaches of Protected Health Information (PHI). OCR data indicates more than 41 million people have had their PHI compromised in HIPAA privacy and security breaches. Data further indicates a major increase in breaches resulting from “hackers” in 2016. According to new studies reported, health care now ranks as the second highest sector for data security incidents, after business services. The “2017 Internet Security Threat Report” found that in healthcare: (a) over half of emails contained spam; (b) one in 4,375 emails being a phishing attempt; and (c) email-borne ransom-ware has jumped to record levels.

Camella Boateng is a consultant expert in addressing HIPAA compliance and makes the point that all health care organizations should have a response plan ready, if and when it is needed. This will permit prompt action to mitigate the harm and damage of such a breach to systems, reputation, costs, and potential liabilities. On the other hand, not being prepared with a response plan will likely result in delays, mistakes, and aggravation of the problem. Considerations in developing the plan should include: (a) establishing roles and responsibilities for those who would respond to an incident; (b) outlining the methods to detect, report, and internally evaluate incidents; (c) laying out steps to be followed in containing and eliminating breaches; (d) determining the manner by which the response plan would be initiated operations restored; and (e) deciding what would be involved in developing, executing, and monitoring a post event remedial action plan. She advises that responsible program managers should be addressing this as part of their ongoing monitoring responsibilities. Compliance officers should verify this is being done and validate it is effective in meeting objectives. This can be done through ongoing auditing efforts that can be performed with internal resources or by engaging outside experts to do it.

21 Practical Safeguarding Tips

  1. Don’t assign responsibility for cyber security to someone at a low level in the organization
  2. Ensure software products are up to date with the most recent patches at all times
  3. Establish an aggressive patching schedule for all software
  4. Implement policies/procedures for precautions against malware
  5. Train employees to not click on email links/attachment, or respond to “phishing” inquiries
  6. Regularly test users to make sure they are on guard
  7. Configure email servers to block zip or other files that are likely to be malicious
  8. Restrict permissions to areas of the network on a database access need
  9. Access to systems should be granted on a need to know standard
  10. Limit employee access to files on a single server, so if infected, it won’t spread to everyone
  11. Security efforts should focus on those files that are most critical, patient records
  12. Conduct a risk analysis to identify ePHI vulnerabilities and ways to mitigate them
  13. Maintain frequent data backups to permit restoring of lost data in case of an attack
  14. Regularly take full snapshots of your data and store them offline
  15. Monitor email carefully and do not open email attachments from unknown parties
  16. Conduct regular systems tests to help flag vulnerabilities before a hacker can gain access
  17. Develop a business continuity plan to prevent down time
  18. Maintain disaster recovery and emergency operation plan
  19. Regular systems tests can also help flag vulnerabilities before a hacker can get in
  20. On any report of an attack, prevent spreading by disconnecting infected systems from a network; disable Wi-Fi, and remove USB sticks or connected external hard drives
  21. Establish real-time data backups to permit work to continue

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

 

Kusserow on Compliance: 2016 ransomware and HIPAA data breaches

The HHS Office for Civil Rights (OCR) continues to report most reported Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) Privacy Rule violations were due to unauthorized access or disclosure, but cyber attacks are now a close second. Cyber attacks have been very significant in the last couple of years with the number of such breaches rising to dramatic levels during 2016. The OCR reported at the end of November that scammers were using fake OCR emails to advance their schemes. No one knows for sure how many data breaches occur, but from what is known, the number may average more than one per day. The broad category of data breaches include actions by those inside the organization, as well as external attacks including phishing, hacking, and ransomware. The most disturbing trend involves ransomware, which typically involves a sophisticated computer virus introduced into a victim’s system that encrypts the system’s data. The attackers threaten to delete the private key needed to decrypt the files unless the owners of the information pay a ransom, typically in an untraceable digital currency such as Bitcoin. Health care industry stakeholders, particularly hospitals, have proven to be soft targets, as they need to have immediate access to their patient information, and many have paid the ransom to regain control over it.  There have been some major payouts by health care organizations to regain control over their data and information.

Dr. Cornelia Dorfschmid, a national expert on the subject of ransomware attacks, notes they have been growing as an internet threat for more than a decade, but have only recently become prominent in health care. The health care sector is considered a soft target, particularly hospitals, which are the perfect mark for this kind of extortion in that they provide critical care and rely on up-to-date information from patient records. Without quick access to drug histories, surgery directives, and other information, patient care can get delayed or halted, which makes hospitals more likely to pay a ransom rather than risk delays that could result in death and lawsuits.

Tom Herrmann, J.D., explained that both the OCR and CMS found that many questioned whether ransomware attacks were even reportable HIPAA breaches. The reasoning was the attackers don’t have interest in accessing, copying, exfiltrating, or exporting the files they capture. They just want to hold it out of their target’s control, until they are paid.  Both CMS and the OCR disagreed and took the position that attack is also likely a data breach which must be reported like any HIPAA violation.  In July, the OCR then released guidance that made it clear that a ransomware attack is a reportable security incident and must be publicly reported in a timely manner or an covered entity or business associate will face severe penalties. Since the release of the OCR guidance, there has been a continued increase in the number of reported attacks.  Some of that increase may be a result of some health care organizations just considering the payment of ransom as the price of doing business.  They no longer can do that without risking severe penalties and the OCR has been entering into very large settlements, many of which have been over $1 million.  A recent example of this enforcement effort is the University of Massachusetts’ $650,000 HIPAA settlement after a breach of unsecured protected health information (PHI) in which the OCR found a number of security and compliance gaps, including the absence of firewalls, as well as failure to meet basic HIPAA security requirements, including conducting thorough organization-wide risk analyses, proper training of staff, and the implementation of applicable policies and procedures.

OCR guidance to prevent data breaches and ransomware attacks

The OCR guidance discusses:

  • conducting a risk analysis to identify threats and vulnerabilities to electronic PHI (ePHI);
  • establishing ways to mitigate or remediate these identified risks;
  • implementing procedures to take precautions against malware;
  • training users to detect malware and report such detections;
  • limiting access to PHI to people and software requiring such access;
  • maintaining disaster recovery, emergency operations, frequent data backups, and practice restorations.

The fact is that organizations have tools available that can strengthen security and may just need to address a basic lack of security measures.

Tips

To protect against ransomware, organizations should:

  • train employees to understand breaches often occur when opening an email link or attachment, or respond to “phishing” inquiries
  • conduct an ePHI vulnerabilities assessment and mitigate or remediate identified risks;
  • address any lack of security technology protecting data and information, including firewalls, email, or web traffic filters;
  • focus security efforts on those files that are most critical patient records;
  • consider using passphrases rather than passwords;
  • develop and implement policies and procedures on how to take precautions against malware;
  • limit access to PHI to people and software requiring such access;
  • maintain disaster recovery, emergency operations, and frequent data backups to permit restoration of lost data in case of an attack;
  • configure email servers to block zip or other files that are likely to be malicious;
  • move quickly on any report of an attack to prevent the malware from spreading, by disconnecting infected systems from a network, disabling Wi-Fi, and removing USB sticks or external hard drives connected to an infected computer system; and
  • limit those who can access files on a single server, so that if a server gets infected, it won’t spread to everyone.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2016 Strategic Management Services, LLC. Published with permission.