Health Data Security and Risk: An Overview of What Lies Ahead

According to a recent Accenture report on the Cost of Cybercrime, healthcare is fifth on the list for the highest cost of cybercrime with an annualized cost of $12.47 million, with the financial services industry having the highest annualized cost of $18.28 million. The report also notes that while large organizations experience a higher proportion of costs related to malicious code, insiders and Denial of Service attacks, smaller organizations experience a higher proportion of costs related to phishing, social engineering, malware and stolen devices. The report also notes that organizations can recognize significant cost savings by deploying Identity and Access [...]

HHS Healthcare Industry Cybersecurity Task Force Delivers Report to Congress

On June 2, 2017, the HHS Healthcare Industry Cybersecurity Task Force released our final Report on Improving Cybersecurity in the Health Care Industry to Congress. The Task Force report demonstrates the urgency and complexity of the cybersecurity risks facing the health care industry and calls for collaboration between public and private industry to protect our systems and patients from cyber threats. Our Task Force recognized that security issues are patient safety issues. There are six (6) imperatives developed by the Task Force that forms the basis for the report. Each imperative includes a set of recommendations and associated action items [...]

test

test

Best Practices for Securely Deploying Connected Medical Devices

Medical device security, and the risks associated with those devices is getting increased attention. A recent article in The Hill highlighted the concern the FDA and private industry have regarding these devices. The FDA has issued both pre-and post-market guidance, with goals to improve the security of connected medical devices in the development and manufacture processes. In March 2017, OWASP, the Open Web Application Security Project released a set of best practices for securely deploying connected medical devices. The OWASP best practices contain seven high-level categories encompassing thirty-two recommendations: -Purchasing Controls -Perimeter Defenses -Network Security Controls -Interface and Central Station [...]

How Tech is Changing the Healthcare Customer Experience

A recent Telus international article explored the way big data and tech trends are changing the healthcare customer experience. Specifically, it explored how telemedicine, data driven medical care, the use of wearables and using this technology for clinical benefit, patient-centered care, and patient privacy issues and concerns about data security will transform the experience for both provider and patient. Prior to the implementation of the HIPAA Privacy and Security Rules, very little attention, if any, was paid to healthcare data privacy by patients. HIPAA, as well as frequent data security breaches has elevated the concepts of patient data privacy and [...]

Player Data and Wearable Tech Security and Privacy

In a recent New York Times piece, Marc Tracy discussed the implications of the recent University of Michigan football team’s decision to enter into a contract with Nike worth $170 million dollars. A clause in the contract could allow Nike to collect personal data from University of Michigan athletes through wearable technology such as GPS trackers, heart rate monitors and other devices that track and log other biological and personal information. While Tracy reviews the issues associated with athletes’ rights in college sports, I am primarily concerned with the issues of privacy, security and wearable technology. A recent analysis of [...]

HHS Issues Ransomware Guidance

HHS issued Ransomware guidance recently that clarified that a ransomware attack involving ePHI (electronic Protected Health Information) is a HIPAA breach unless the Covered Entity of Business Associate can demonstrate that there is a low probability that the PHI has been compromised. Ransomware is a type of malicious software that denies access to data, generally by encrypting the data with a private encryption key that is only provided once the ransom is paid. Sometimes the ransomware will steal, destroy or export data from information systems. According to the guidance, since early 2016 there have been, on average, 4,000 ransomware attacks [...]

OCR Crosswalk Between NIST Cybersecurity Framework and the HIPAA Security Rule

Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity was issued by President Obama in 2013, and called for the development of a voluntary risk-based cybersecurity framework (CSF) that is “prioritized, flexible, repeatable, performance-based, and cost-effective.” In response, the National Institute of Standards and Technology developed the NIST Cybersecurity Framework. The Framework was designed to help organizations manage and reduce cybersecurity risk, and to promote risk and cybersecurity management communications. Healthcare and health technology companies must comply with numerous state and federal requirements, including HIPAA. In an effort to help companies improve their cybersecurity strategy, the US Department of Health and [...]

Vulnerability Assessment vs. Penetration Testing—Which One is Right for You?

Many organizations conduct vulnerability assessments, while fewer conduct regular third-party penetration tests. Both are critical components of a Vulnerability and Threat Management program. Vulnerability assessments identify security vulnerabilities in an environment, such as applications, networks, etc. Testing should produce a prioritized list of vulnerabilities, and how to remediate them. The goal is to identify the issues and to help the company direct their resources to the vulnerabilities that introduce the greatest risk to the enterprise. While there are many different definitions of a penetration test, I tend to lean towards a test that aims to breach the information security of [...]

The NIST Cybersecurity Framework

Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, was issued by President Obama in 2013, and called for the development of a voluntary risk-based cybersecurity framework (CSF) that is “prioritized, flexible, repeatable, performance-based, and cost-effective.” In response, the National Institute of Standards and Technology developed the NIST Cybersecurity Framework. The Framework is voluntary, and is based on existing standards, guidelines, and practices for reducing cyber risks to critical infrastructure including the CCS CSC, COBIT, ISO/IEC 27001:2013, and NIST SP 800-53 Rev. 4. The Framework was designed to help organizations manage and reduce cybersecurity risk, and to promote risk and cybersecurity [...]