The CyberPHIx Roundup: Industry News & Trends, 2/19/20

Brian Selfridge: [00:00:08] Good day and welcome to the CyberPHIx Healthcare Security Roundup, your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically the healthcare industry. I'm your host, Brian Selfridge. In addition to this roundup, be sure to check out our CyberPHIx interviews with leading healthcare, security, privacy, and compliance leaders at meditologyservices.com or on your favorite podcast hosting platform. Just search for CyberPHIx, CYBERPHIX. 

 

Brian Selfridge: [00:00:35] So let's dive into this week's updates. I'm going to start with a couple of ransomware updates. It seems like we could probably do that every week if we wanted to. But I want to focus on five ransomware attacks that were reported on a website called LawSitesBlog.com, where five law firms, in particular, were targeted in a round of attacks using the maze and maze-e ransomware variance. So in this case, data was actually posted online from two of the firms by the ransomware malicious actors. And the bad guys are starting to post small amounts of sensitive information, even before they release the ransomware demand, by showing proof that they have the information and that they can put some of it on the black market. And part of the attack is they'll say, OK, we have your information, pay us X amount of money, or else we're going to publish it. So here is some of it. And then they'll start to leak it out over time until eventually, they'll just put it all out there if organizations haven't paid up. 

 

Brian Selfridge: [00:01:33] Now, the reason I think this series of attacks is particularly important is that we've noted that law firms are actually one of the more vulnerable vendors or groups that has potential access to sensitive information, including patient information. There was a report by our sister company, Corl Technology, CORL, where Corl released a study that assessed over 50000 vendors servicing the healthcare community for their security controls environment and noted that law firms are one of the highest risk vendor categories for the last several years running. Legal services are actually number eight on the top 10 list of vendors most likely to have a breach. And they tend to have a lot of sensitive information and very rarely have dedicated information security teams or very strong security control capabilities, which just increases the likelihood that they are going to have an attack. So very interesting that we see these actual law firms getting attacked with the ransomware variance in the maze side of things because they think that's going to be a continual theme that we see. And if you want to learn more about the study that was done, that puts legal services up there, if you want to find out what number one through seven is on the top 10 or one through 10, go to our Resource Center on Meditologyservices.com. We actually have a webinar where we covered the full list of vendors and talked through it in a lot more detail. So if you go to that resource center on Meditologyservices.com, you can search for the world champions. It's technically called Champions Guide to Third-Party Risk Management. Very interesting results of that, but also interesting to see these law firms. So if you have a third-party risk program and you don't have law firms on your radar or as part of that business associate group that you do routine audits or reviews of, definitely want to get them on your radar this year. 

 

Brian Selfridge: [00:03:20] The second area that we'll focus on today is around some more regulatory updates from OCR and HHS. So Department of Health and Human Services has reversed their position on the number of fees that could be charged to patients that request their information in electronic format. So this is the whole individual right to access healthcare records. The change comes from a successful legal action taken by HHS, by the healthcare records management company Ciox. Ciox claimed that the fee limitations should only apply to records requested by the individual themselves and not necessarily for records that are requested to be distributed to other third parties like law firms or insurance companies. Geez, law firms keep coming up all day today, don't they? Ciox felt there was an undue burden, financial burden for the tens of millions of records requests that they have to handle each year as part of the business model and having to pay for that going to individuals other than the actual patient themselves. And so they sued HHS and were successful in that lawsuit recently, based on guidance that HHS put out in 2016, indicating individuals could not be charged by Ciox for sending their records to third parties at no additional costs to anybody other than Ciox. So that's an interesting turn of events. I think where this is going to have the most impact is on organizations that do have NHIN or a healthcare records management function within their organization or if the entirety of their business depends on health information management, certainly they'll be impacted. 

 

Brian Selfridge: [00:04:50] I think those entities that do have those functions are going to need to take a close look at their policies and procedures around the individual right to access records and what the protocols are around that, when they can charge and when they can't. Make sure that the new guidance and this particular case are reflected in how they manage the fees and make those changes accordingly. So interesting update there. I think it's rare that we see reversals from HHS. And sometimes it does take a lawsuit to get to that point, but certainly, want to make sure you're paying attention to that if any of that applies to you. If not, it might just be useful to know, as things do shift from time to time. 

 

Brian Selfridge: [00:05:26] The last area we'll focus on is around some major changes also from HHS and CMS focused around interoperability. And that seems to be the word of the year, doesn't it? There are several changes in rules coming out from HHS and CMS around the promotion of interoperability of electronic health record information between electronic health systems, between electronic forums and platforms. And these new rules are generating debates in privacy and security circles about the pros and cons of easing the flow of patient information across systems and platforms. So first, after several years of driving the adoption of electronic health record capabilities, the meaningful use incentive program from CMS has been, I think, largely successful in that endeavor, arguably. But it's now shifting gears into focusing more on the interoperability of systems and data. And then we have HHS proposing the interoperability rules as HHS and ONC introduced last year in 2019 and starting to get a lot more attention from the privacy and security circles, particularly around some 11th-hour resistance from EPIC, the electronic healthcare provider, EPIC, who, along with Cerner, has been criticized for their perceptions that they have practiced, what HHS calls "information blocking." That's a term that they've been using exclusively. By restricting access to patient information through technical means, like API, application program interfaces, and other means that historically Epic and Cerner have kept the cards close to their vest and cited proprietary concerns for not sharing information coming into and out of that, just using those for example, particularly since Epic's been very vocal now. EPIC cited information privacy concerns as the reason that they are not thrilled about the interoperability rule. 

 

Brian Selfridge: [00:07:28] But I think skeptics would perhaps call out that perhaps they're sticking by their traditional proprietary protocols and approaches to information sharing for that concern, as Epic hasn't been particularly a privacy champion in prior years. It's interesting to see them come out as looking at that as their primary concern for this particular rule. Now, increased interoperability generally between systems has a lot of potential benefits for patients, but it also means a much larger technology footprint for sensitive patient information, or PHI, that may be traversing between now an increased number of systems. And we know that many healthcare entities and vendors servicing healthcare don't have the greatest track record on information security and privacy in general. We've seen that the number of breaches, we know that from the audits and assessments that we do as well. As I mentioned earlier, our sister company, Corl Technologies, does this work, and we've seen just that the more vendors are out there, particularly more being in the sort of startup realm of things, or organizations that haven't built strong security and privacy capability. Seeing more of those vendors out there in the market may mean more breaches, may mean more opportunities for that information to be misused or abused, or breached in other ways. 

 

Brian Selfridge: [00:08:49] Now, in the actual interoperability rule itself, organizations can claim exemptions for sharing information based on security concerns. So if they have well-documented concerns with hey, we're not willing to open up and share this information to X, Y, and Z third-party or for these sorts of purposes, because we have a reason to do that, until we need to get the security straightened out. They can do that technically, but they need to document detailed justifications about why that is and make sure that there is no ambiguity to that concern. You can't just say, well, we're citing security concerns in general or privacy concerns in general. They need to be very specific. And because there are some fears that the H.R. providers and others will simply claim security is the reason for continued again, "information blocking." I'll use that word in air quotes again. Which is essentially keeping that information from being shared from potentially competing entities or entities that aren't owned or managed by those big-box electronic health records providers and others. So if the ONC rules go into effect, security and privacy teams are going to need to make sure their policies are crystal clear on PHI portability requirements and any of those exceptions, tracking rules, or procedures. They need to make sure that they're sticking to those rules every time out and not just when it may be convenient in certain cases or may be inconsistent with other sorts of business drivers. And also security teams are going to need to continue to invest in their risk assessment and third-party risk management capabilities to keep up with the anticipated influx of new APIs and connections and vendors and VPNs and systems that are going to be swapping sensitive patient information around. As these new rules and incentives come into place, they're requiring organizations to do more of that interoperability between systems. So very interesting to see how that's going to play out this year. I think interoperability has legs. It's going to continue to move through CMS and HHS. And I think the security woes are going to be very similar to what they've always been. We have a lot of interoperability already. So it's not like this is news or a whole lot of a different set of circumstances. I think we just need to make sure we're doing the right things from a security standpoint on third-party risk and security controls and certifications and all the other things that we'll continue to drive maturity in the security space, as data gets proliferated all over the place. 

 

Brian Selfridge: [00:11:16] So lots to pay attention to there. But for now, that's it for this episode of the CyberPHIx Healthcare Security Roundup. We hope this information has been useful for you and informative, and we'd love to hear from you if you want to talk about any of this. Just reach out to us at [email protected]. So long for now. Thanks for everything you do to keep our healthcare systems and organizations safe.