The CyberPHIx Roundup: Industry News & Trends, 11/25/20

PODCAST TRANSCRIPT

Brian Selfridge: [00:00:11] Good day. Welcome to the CyberPHIx Healthcare Security Roundup, your quick source for keeping up with the latest cybersecurity news trends and industry leading practices specifically for healthcare. I'm your host, Brian Selfridge. In addition to this roundup, be sure to check out our Resource Center on www.MeditologyServices.com, which includes our CyberPHIx interviews with leading healthcare security, privacy compliance leaders, as well as blogs, webinars, articles and lots of other educational stuff.

Brian Selfridge: [00:00:36] So let's dive into this week's CyberPHIx episode.

Brian Selfridge: [00:00:41] Congress passed the Internet of Things Cybersecurity Improvement Act of 2019 in 2020 or otherwise known as the Cybersecurity Improvement Act of 2019-2020. So they passed the bill last week. Congress did anyway, and it promptly cleared the Senate by unanimous consent. This is an IoT bill that was originally introduced in August of 2017. So about three years ago when the wheels started turning on this. And the bill requires the National Institute of Standards and Technology, or NIST, as we, of course, have come to know over the years and the Office of Management and Budget or the OMB to take specified steps to increase cybersecurity for the Internet of Things devices. IoT is an extension of Internet connectivity into physical devices and everyday objects, says NIST. Now NIST is commissioned to create the IoT security standards by March of 2021 and they've already been working on it. That's sort of the deadline to finish this up. So NIST included standards and vulnerability reporting frameworks into this new requirement for IoT devices. Now, why is this important? Well, first off, the enforceability of the act will only apply to IoT manufacturers and devices that are used and deployed and purchased by the federal government. So this is not something that's going to be required across the board. However, this will hold manufacturers of IoT devices to build security and up front if they want to have the opportunity to sell and deploy and use those devices in any sort of government function.

Brian Selfridge: [00:02:11] And of course, that's a very, very large client, huge purchasing power from the federal government, leveraging that purchasing power to be able to require these major brands and these major organizations to build security up front in the IoT systems and devices. And that, of course, should have a net benefit for all companies downstream, including healthcare, as those devices get hardened, secured, and we pay more attention to the security and privacy right up front for those. So it's really, really great news, I think, for the industry. Now, the final step, it's cleared Congress in the Senate, which is always a challenge to do no matter what you're putting up. But since it cleared by unanimous consent, the next step is for the president to sign the bill. If the president chooses to do nothing, then this will become law in 10 days. If there's no action taken, signed or vetoed, if the president choose to veto it for some reason, then the House and Senate will very likely override the veto. Given that there's unanimous vote on this and that will be fairly straightforward to do so. It looks like any way you shake it, this one is here to stay. And it's great news for improvements to securing the emerging threats from vulnerable IoT devices, which could also end up extending into medical devices in some ways, potentially. And we'll see sort of how that plays out. So great news there.

Brian Selfridge: [00:03:24] Another update from the federal government this week is at the Department of Health and Human Services created an exception for cybersecurity to the Stark anti kickback law. So for those that are unfamiliar with Stark, this has been around for a while. Basically, Stark prohibits health systems, just as an example, from giving money or things of value to physician practices to encourage them to send patients to their facilities for inpatient or specialty procedures. So, in other words, it's bribery or otherwise referred to as anti kickback law for healthcare. So why would they carve out an exception? Well, the exception is actually a very welcome one for the industry because it allows health systems to provide security software and other security capabilities to these physician practices as physician practices in many ways have become one of the weaker links in the chain of custody of patient information as it is shared to and from local physician practices. Very often those small physician practices don't have quite the budget and capabilities to buy the fancy security software and endpoint protection and other types of capabilities that are out there. And so this allows the health systems to provide that software licensing downstream, which really is a win for everybody involved.

Brian Selfridge: [00:04:40] Any time we can strengthen the entire chain in the ecosystem of where patient information travels from delivery settings like physician practices to inpatient settings and hospital systems, as well as third parties, we've got all kinds of places this is going. So this is a great, great update, I think, for everybody. Now, this has been proposed the in 2017 by an HHS cybersecurity task force originally proposed this exception to the Stark Law, but it finally got the go ahead this week. And that's very exciting. And this isn't the only stark exception for those that have been following this. Years ago, there was another exception deployed historic that allowed health systems to provide physician practices with electronic health records, capabilities and software during the whole meaningful use incentive program, build and rollouts where that was a big push for the industry overall. So I think this is great news and a chance for us to further secure the health care ecosystem and the provider settings and also help. Physician practices that have strained and stressed budgets, so this will be a great opportunity to help them bolster their cybersecurity capabilities.

Brian Selfridge: [00:05:49] The next update today is a new health care cybersecurity guide that has been made available specifically for telehealth by the National Institute of Standards and Technology. Here's NIST again. While lots of federal activity this week, I guess we have some end of year deadlines coming up where things need to get past and done with with a month left. I think we're seeing some great movement here. So NIST has published the special publication or NIST SP 1800-30 Securing Telehealth Remote Patient Monitoring Eco-System. So this is this is really, really cool and I recommend you check it out. Basically, the standard is designed to support secure remote patient monitoring or R.P.M. as it's defined in the standard, which is effectively a version of telehealth or another way of sort of framing telehealth. So NIST performed a risk assessment of R.P.M., a remote patient monitoring and telehealth, and determined that such a standard as this was required to support cybersecurity and privacy protections specifically for telehealth platforms and applications. Those have been following us on the CyberPHIx here and throughout the year have known that telehealth, with its shotgun deployment and security weaknesses, is becoming an area of concern for many health care organizations, as well as just patient privacy and other things. So this is great timing. Now, there were multiple collaborators on the standard, including tech companies like Cisco Tenable and logarithm on the security side, as well as some leading health care providers like our very good friends at the University of Mississippi Medical Center. Big shout out to Steve Waite there, who has done some great work in the space and his colleagues, as well as Inova in DC. So glad to see the providers rolling up their sleeves and getting some contribution to these important new regulations and standards. In this case, it's a standard.

Brian Selfridge: [00:07:29] So the practice guide is very thorough and it's specific. I love prescriptive types of standards that give you some real guidance on what to do and how to handle it. There's a threat and risk matrix that's specific to telehealth, which is great. There's also controls guidance that's aligned with the NIST CSF cybersecurity framework with emphasis on key control domains like identity and access management, physical security, asset management, remote maintenance and much more. But focus specifically on telehealth and RPM. I have to get that acronym down. I'm working on it. Remote Patient Monitoring. The standard includes both privacy and security requirements or guidance, which I think is a continuation of a trend of consolidating privacy and security functions in both practice and regulations and standards that we've seen over the years. I think that's going to continue into next year. There's also a secure architecture, guidance and diagrams with excellent detail and good old UML diagrams for those that are in the software development space or have been in prior years. UML is just a very specific way of showing how systems flow data back and forth between each other.

Brian Selfridge: [00:08:35] And so there's some really cool detail about the RPM technical architecture and how you should set it up and how you should assess your telehealth and remote patient monitoring applications to make sure that they're designed securely from not only the product perspective, but also sort of the interfaces between key systems.

Brian Selfridge: [00:08:51] So if you want more information about the new NIST standard, of course you can check it out and I recommend you check it out, the actual publication from NIST. But you can also contact us here at Meditology as we've been offering a new risk assessment service specifically for telehealth platforms in line with the new standard so that we can talk you through it or help you assess your RPM platforms as needed.

Brian Selfridge: [00:09:11] The last update for today is we're going to step just over the border outside of the US into Canada and Canada's Digital Charter Implementation Act of 2020 (DCIA), another acronym. This is a proposed Act, one that hasn't been put into law yet for Canada that intends to introduce a new law which will be called the Consumer Privacy Protection Act, or CPPA, which sounds a lot like the California acts and their acronyms. But the law is designed to, and I quote, "increase protections to Canadians personal information by giving Canadians more control and greater transparency when companies handle their personal information. The CIA would also provide significant new consequences for non-compliance with the law, including steep fines for violations" end quote.

Brian Selfridge: [00:09:56] So this is very similar to GDPR out of the EU in its intent and structure all the way, certainly not as overarching and comprehensive as GDPR. But the general idea is there and it really follows the trends that we've seen, as I mentioned, and the California privacy laws that just got released over the last year. And then there's another one put out during the most recent election that was approved by the citizens of California. So California's been leading out on this. There's many other states and I think are six or seven other states that have privacy laws like this in the works or enacted. So some of the provisions include consent management, allowing patients and Canadians in this case to provide consent to how their data is used and transmitted. Again, very similar to GDPR. There's a data mobility piece that says when and how the information will be required to be accessible across different platforms and applications. So you can think. Of the recent US 21st Century Cures Act as an example of that sort of trend, where there's requirements that you have to be able to allow patients to access and share their information across different platforms and functions and smartphones and all that stuff. There's also an interesting provision here around the transparency of algorithms.

Brian Selfridge: [00:11:07] So they want to make sure that you're able to show how your artificial intelligence and machine decision-making is built and designed so that there's there's no secrets about how the information is being used in those sort of AI type of scenarios. So that's really interesting. There's also a de-identification component, which is another big theme that we've seen on the U.S. side as well. From an enforcement standpoint, fines will be up to three percent of global revenue or up to 10 million dollars for most offenses. And then there's a special category of up to five percent global revenue or 25 million dollars for serious offenses. That's almost like the willful neglect type of things in the HIPAA world. So this is yet another movement forward for global privacy regulations that have gathered momentum this year, I think will become a big theme for healthcare, security and privacy programs heading into 2021 and beyond. So keep your ear to the ground on this one. And I think you're going to need to start putting in place some policies and procedures that will anticipate these regulations. Even if you aren't in Canada or California or one of these states, I think the US is close behind and putting something out at the federal level.

Brian Selfridge: [00:12:17] So that's all for this session. CyberPHIx healthcare security round up. We hope this has been informative for you. We'd love to hear from you. If you want to talk about it. This must reach out to us at [email protected]. We will also be releasing a very special podcast episode next week that looks back on the year 2020 from healthcare cybersecurity and privacy perspective and looks forward to the themes we can expect to see in 2021. You'll definitely want to check that out as we sort of take stock of the situation and where we're headed together as an industry. But for now, so long and thanks for everything you do to keep our health care systems and organizations safe.