The CyberPHIx Roundup: Industry News & Trends, 1/21/20

Brian Selfridge: [00:00:08] Good day and welcome to the CyberPHIx Healthcare Security Roundup, your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices specifically for the healthcare industry. I'm your host, Brian Selfridge. In addition to this roundup, be sure to check out our CyberPHIx interviews with leading healthcare security, privacy, and compliance leaders at Meditologyservices.com or on your favorite podcast hosting platform. Just search for CyberPHIx, CYBERPHIX. 

 

Brian Selfridge: [00:00:35] So let's dive into this edition. The first item that we wanted to bring to your attention is an OCR fine for Sentara hospitals that came out in December 2019, toward the end of the year. Where Sentara was fined $2.2 Million for a failure to report breaches of patient information that were mailed to the wrong patients. So that's not so much just that they had this misdirection and the issue with sending patient information out in mailings to the wrong places, which is certainly a breach of the violation and an issue. But they failed to report that to the OCR in the standard reporting channels required by the breach notification rule. So that was a big part of the fine. Another focus of this fine was the lack of a business associate agreement with Sentara Healthcare, so Sentara has Sentara hospitals, the primary covered entity, and then they have Sentara Healthcare as a business associate who had access to the information, and there was no appropriate VAA or such agreement in place between the entities. 

 

Brian Selfridge: [00:01:40] So a couple of reasons why I think this fine and resolution is important as a trend and to look into 2020 and beyond is that I think organizations need to certainly pay attention to the breach notification rules and requirements. OCR has been very forward in taking action on those, and there are no exceptions for those reporting requirements. But then also understanding your business associate agreement inventory, understanding if you have the right agreements in place, certainly with third parties first and foremost. But then where you have the sort of parent-child affiliate entity type organizations, making sure that all the legal I's are dotted and T's are crossed becomes really important as well. So lots more on that as it unfolds, but I think it's an important one to look at. 

 

Brian Selfridge: [00:02:34] Another item that we saw recently I think is worth highlighting was an electronic health record downtime at DCH Health in Alabama that resulted from a ransomware incident in December 2019, last year. So a couple of reasons why this is an interesting case. One, DCH had this ransomware incident, but the downtime was over ten days, where the electronic health record was unavailable and hospitals actually diverted patients to other facilities and closed the doors to all but emergency care situations. And so having been a security officer in a health system for a number of years previously myself, I know any time we diverted patients for any reason, there are very real financial impacts and dollar impacts to that event. And so I think this is important from that instance where ransomware is causing significant financial impact above and beyond just the ransom itself if they were to pay it or had to pay it. 

 

Brian Selfridge: [00:03:38] But then there was also a class-action lawsuit brought by the community against DCH Health again in Alabama for this incident and patients saying in the class action suit that they were unable to receive critical treatment that they needed. Some in that suit claimed that they were unable to get their prescriptions available or renewed in a timely manner, impacting their health and well-being, and then also the sort of violation of the HIPAA requirements. And we do care needed to protect their sensitive information was also cited, sort of all lumped into that. So I think it's not the first or the last class action lawsuit that we'll see. And we would expect to see this trend continue. So you start seeing these ransomware incidents and these breach impacts are much more than just a regulatory issue or perhaps an OCR fines or resolutions. But we're seeing very real impacts to patient safety. Financials, as I mentioned there, for diverting patient care. You have brand reputational damage, loss of trust, and potential financial action from the class actions that play out. So I think this sort of guidance for healthcare security teams and compliance leaders is to make sure you're having those conversations with the business leaders to understand these events, to be able to prepare for them, to be able to not only put the security, preventative controls in place but be able to anticipate how the organization will respond to ransomware attacks by having the playbooks and the instant response procedures ready and doing simulations and tabletop exercises. And if you want some more details around other ways to deal with ransomware in general, we've got a blog out on that recently. And I also had an interview with Brian Dijkstra from Atlantic Data Forensics in our CyberPHIx interview podcast series that I would recommend checking out, where we talk about the ransomware attacks and the latest of those and how to deal with them. So that's another trend to pay attention to this month. 

 

Brian Selfridge: [00:05:41] And then the last area we'll focus on for this session to catch you up to speed on some of the trends in the big focus this year on IoT Internet of Things, Internet of medical things, medical devices, and asset management, as it relates to all of these unmanaged devices. So we're seeing a lot of organizations move away from just worrying about your traditional servers and endpoints in workstations and having to get a handle on which devices we have, where are they, and do we have the right information about those devices. So just a quick anecdote there. We've worked with organizations that even have some of the latest and greatest IoT discovery tools, and they've got the asset inventories. But when it comes down to actually having to patch medical devices, for example, we're finding out that those devices and those inventories don't have critical information, such as the serial number for that device, which is necessary to then provide to the medical device manufacturer to patch that device. So you've got to get the right patch. To get the right to that patch, you need the right serial number and need to know where that device is, and what ID it's running, and all kinds of things that many organizations are are not having adequate systems and processes to deal with. So expect to see that to be a big focus area this year. Also, organizations looking at further segmenting their networks to protect these devices in certain asset categories like medical devices, for instance, or IoT devices. We're seeing micro-segmentation as a potential area, which is just a more granular way of cordoning off devices and assets into more logical groupings and preventing communication across those groupings. So we can expect to see more attention to that this year as well. So a lot going on. A lot to cover, and we'll be doing these updates on a regular basis just to highlight some of the key areas to pay attention to in the near term. 

 

Brian Selfridge: [00:07:37] But that's all for the session of the CyberPHIx Healthcare Security Roundup. We hope this information is informative for you, and we would love to hear from you as well if you want to talk about any of this. Just reach out to us at [email protected], [email protected] So long. And thanks for everything you do to keep our healthcare systems safe and secure.