The CyberPHIx Roundup: Industry News & Trends, 2/6/20

Brian Selfridge: [00:00:08] Hello and welcome to CyberPHIx Healthcare Security Roundup, your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices specifically for healthcare. I'm your host, Brian Selfridge. In addition to this roundup, be sure to check out our Resource Center on meditologyservices.com, which includes our CyberPHIx interviews with leading healthcare security, privacy, and compliance leaders, as well as blogs, webinars, articles, and lots of other educational stuff that I think you might find informative and useful, hopefully. We got a ton out there and are excited about the new research center, so go check it out. All right. But let's get into our roundup. 

 

Brian Selfridge: [00:00:42] We've got a number of updates to provide for you this week. First and foremost is the release of a new privacy risk assessment framework, a new privacy framework from NIST. So those that are familiar with NIST Cybersecurity Framework and NIST CSF, it's a very similar concept, idea, and layout. But for the privacy side, and there's a good reason for that. We're seeing a major focus in 2020 on privacy with the movements of new privacy regulations for 20 or so states. There's a lot of congressional activity around the privacy regulation space on the federal side. And some of the moves from the big organizations, Amazon, Google, and others getting into healthcare and amassing healthcare data are raising flags on privacy and having folks look at privacy quite a bit more closely. And also on the heels of GDPR on the EU side, which is creating a big splash as well. 

 

Brian Selfridge: [00:01:39] So the NIST Privacy Framework is broken out into three major components called the core profiles and implementation tiers. So the core is key privacy activities that are sort of broken out into categories and subcategories and then profiles outline your organization's current privacy functions. So what's the stuff that you're actually doing now? And you can sort of document using your profiles and what you are doing and not doing and have a common vernacular for that. And then the implementation tiers are sort the level of maturity that the organization is applying relative to privacy controls. So for those familiar, for example, with the HITRUST common security framework on the security side, kind of a similar idea, where they have their tiering structure, levels one to three, of maturity and implementation. So the privacy framework has something that kind of looks and feels like that a little bit. The categories of the NIST Privacy Framework are identified, govern, control, communicate and protect. So again, very similar to the NIST CSF, where they have their five categories that sound a lot like that. But this is focused exclusively on the privacy side. And the NIST Privacy Framework really looks at privacy as a function of enterprise risk as opposed to just a HIPAA privacy lens and sort of check the box and make sure you've got the rights, authorizations, and paperwork. This is much more of looking at what's the potential exposure to the business to have patient privacy impacted if there were events or breaches and non-compliance activities otherwise. So that's a big theme we see this year. And glad to see this framework out there. I think the practical application of the privacy framework from NIST would be either for privacy risk assessments at the enterprise level, for your own organization, for covered entities, but also for assessing third parties and their privacy controls. So as more and more data gets shared over to third parties for a variety of business purposes, there's a lot of scrutiny on the security side and security questionnaires and audits and everything else. The privacy frameworks are a good way to start including privacy in that conversation and getting a handle on the third-parties capability and privacy protections in order to protect your patient data or the patient data sets of information that's being shared. 

 

Brian Selfridge: [00:04:00] The framework is also a good mechanism to use to communicate privacy risks at an executive level. So it's a little bit more common sense, a little bit more terminology, I think more digestible perhaps than some of the letters of the law and the HIPAA privacy rule. So I've always found the NIST Security Framework to be useful that way, and I think the privacy framework is going to be equally useful. Also, another good reason to pay attention to this is that it's likely that any future federal regulation around privacy or any enhancements to HIPAA privacy regs are going to point to the NIST Privacy Framework as one of the preferred or guiding principles around those federal regulations. As OCR and HHS have always pointed to NIST on the security side, I suspect they would do the same on the privacy side when the time comes. 

 

Brian Selfridge: [00:04:48] All right. So we also want to bring you up to speed in the Roundup here on a couple of fines and breach activities that point out some themes that we're seeing over the last couple of months that I think might be useful for everybody. The first is a 1.6 million dollar fine for Texas Health and Human Services, where they had patient information on a publicly accessible database. The resolution cited a flaw in the software code, which is basically just a configuration management issue, where the information became Google-able. And they also pointed out that there was no enterprise-wide risk analysis conducted by the organization or an inadequate one at that, as well as inadequate access controls. So the lack of an enterprise-wide risk analysis is a theme that we just see over and over and over again. So I won't harp on that too much more other than to say if you have a risk analysis process, or you're doing it in a house, or you have a third-party doing it for you, make sure that your web applications, your databases, these public-facing components are in scope for those assessments. And you're not just focused on your primary electronic health record or your financial systems. It's got to cover anywhere that PHI exists. OCR has been very vocal about that as in this other case. 

 

Brian Selfridge: [00:05:58] The other thing to point out is also looking at making sure that you've got database risk assessments in place and security audits going, as well as a web application and anything web-facing risk assessments, in addition to an enterprise-level view, just making sure you pay close attention to those. We've just been seeing so many of these web-facing issues like there was another one with Tū Ora Compass Health, who I'm sure I'm pronouncing incorrectly, several words. But they had a million patient records released to the public web through poorly configured website controls and had exposed patient health insurance data. And there was another case where five million records were out that a researcher found for drug rehab patients in Pennsylvania a little while back. So these are just themes that keep going on and on. So pay attention to those for sure. 

 

Brian Selfridge: [00:06:48] Another case that we're looking at, or the breach anyway, reported recently was the University of North Carolina, UNC at Chapel Hill School of Medicine, began notifying over 3000 patients that their PHI may have been exposed to the phishing attack that involves some of the school-university accounts. Now, access was limited to e-mail accounts, but those e-mail accounts apparently contained patient information, Social Security numbers, credit card data, and other sensitive stuff. So I think this is worth pointing out. First and foremost, if you're in an academic medical center setting, we're seeing a big theme, where those organizations are really struggling to apply the same level of controls across their healthcare side of the house, as well as to researchers and students and the university side of the house. So make sure that you're getting those phishing tests and your controls equally applied across the organization. Really make sure to pay attention to that university side as well, as that's where we've seen, and research side, a lot of breaches. This particular case also called out multifactor implications for a lack of multifactor authentication. So want to make sure, for some reason, again, academic medical centers seem to be falling behind the trends on being able to deploy multifactor authentication. That's just a huge gap in protection and need to get caught up there. So it's getting to a point where some of the cases that we've seen are starting to dance around that willful neglect from OCR. If you don't have the multifactor in place, and you're not doing these phishing tests. So lots to pay attention to there, if you aren't already. 

 

Brian Selfridge: [00:08:19] All right. And the last area we're going to highlight for this week to catch you up on is a couple of trends we're seeing in impacts to cybersecurity events on patient safety and patient health. So two things we'll talk about. One is a recent study published by Health Services Research that found that there is a correlation between organizations that have suffered a data breach and the subsequent care and outcomes for cardiac patients. So without getting too much into the nitty-gritty, they have some statistically significant data that the study says. That patient safety outcomes were negatively impacted for organizations that experienced the breach, and they draw some potential conclusions as to why that is. Another case that I'll point out is our own research we've done here at Meditology on the medical device security side, where we've spent some time analyzing the federal database, the FDA database, called Maud, MAUD, where it's required to report any patient safety impacts related to medical devices and their malfunction in particular. And we've identified a number of cases where medical devices were rebooted or inaccessible. They don't say whether it's related to security incidents or rebooted for some other reason or it was just not working. They seem to be intentionally vague, as they report these things. But I think it's safe to say that when devices get locked up for ransomware, for example, or other cybersecurity-related attacks, that you would see similar outcomes. But the database outcomes that we saw were patient deaths related to those devices getting rebooted and sometimes in very large volumes related to specific devices. So I'd be glad to talk about that with you if you want to learn more. But I think the key theme, in summary, is that we're seeing an increasing trend in being able to tie the data back from cybersecurity-related issues into patient safety, adverse outcomes. I think those that have been working in the field long enough, know that there's always been that correlation and that sort of logical correlation. But the data hasn't really been there supported. I think we're starting to see some of the data come out and be able to make that case. 

 

Brian Selfridge: [00:10:29] So with that, we promise to keep these quick for you. So we'll wrap up our Roundup for this time around. We hope this information has been informative for you and love to hear from you. If you want to talk about any of this, just reach out to me or our team here at CyberPHIx, [email protected]. So long and thanks for everything you do to keep our healthcare systems and organizations safe, and we'll see you next time for a Roundup coming up soon.