The CyberPHIx Roundup: Industry News & Trends, 8/11/22

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry. 

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:

  • IBM’s and Ponemon’s annual Cost of a Data Breach Report summary, analysis, and implications for healthcare
  • Updated NIST guidance on HIPAA compliance approaches and expected practices
  • Facebook (Meta) and healthcare providers targeted with multiple lawsuits over health data privacy practices
  • GAO report warns of catastrophic financial loss due to cyber insurers backing out of covering damages from cyberattacks
  • $100m cost reported for Tenet Healthcare’s 2022 cyberattack
  • Major breaches with healthcare vendors OneTouchPoint and Avamere impacting more than 1.5m people
  • Cloud Security Alliance weighs in on third-party risk management in healthcare
  • Large-scale cyberattack campaign targeting over 10,000 organizations in phishing and financial fraud scheme
  • HHS Health Sector Cybersecurity Coordination Center alert about an increase in web application attacks on the healthcare sector
  • New ransomware task force report targeting government interventions to disrupt ransomware attacks
  • OCR issues 11 new financial penalties over HIPAA Right of Access failures


Brian Selfridge: [00:00:11] Good day and welcome to The CyberPHIx Healthcare Security Roundup. Your quick source for keeping up with the latest cybersecurity news trends and industry-leading practices, specifically for healthcare. I'm your host, Brian Selfridge. In addition to this roundup, be sure to check out our Resource Center on which includes our CyberPHIx interviews with leading security, privacy, and compliance leaders alongside blogs, webinars, articles, and lots of other educational material. We have a great agenda to cover today quite a bit. So let's dive into it, shall we? 

Brian Selfridge: [00:00:46] All right. First, up for this week's episode, IBM and the Ponemon Institute released their annual 2022 cost of a data breach report that lists healthcare as the industry with the highest breach costs of all sectors for the 12th year in a row. I'm going to go through some of the statistics here. There's quite a bit of takeaways in this report. It's one of my favorites. Every year there's just such good information. So I'm going to try to summarize the points that I found more pertinent overall, as well as just for the healthcare industry. So first, $10.1 million is the average cost of a breach for healthcare organizations. This is up from 9.23 million last year and is head and shoulders above any other industry. The other industry is coming in at like 5 million, 4 million and below healthcare is at 10.1. Really, really staggering how much we are in comparison, a breach will cost us. 

Brian Selfridge: [00:01:36] So some of the other statistics $4.25 Million is the average total cost of a breach for all industry segments. So again, that's sort of the average across the board 4.5 and we're at 10.1 more than double the average. And so we've got some trouble. 83% of organizations studied have had more than one breach. That doesn't surprise me in the least. I think reportable breaches is sort of one category, but actual breaches becomes another. 19% of breaches occurred because of a compromise at a business partner. And this is actually kind of lower than what we've seen in other studies. We've seen 45, 50%, 40% is a pretty typical numbers. I see 4/3 party breaches. Ponemon saying 19% of those surveyed had a business partner involved. So that's that's pretty interesting, although I don't I don't think that number is going to go down, whether it's 19 or 40 or above. Seems to be trending upward. Now, one really interesting status, that 45% of breaches were cloud-based. So this is the big question, right, that we moved everything into the cloud off of on-premises environments. There was sort of this early promise that the cloud was going to be this great centralized place that did security really well. And we wouldn't have to worry about it. You know, you set it and forget it. So that obviously hasn't panned out. And particularly with the security front, there are so many features and functionalities and configurations on the cloud side that organizations are standing up generic instances of an AWS or Nigerian environment and missing really key settings or setting them to the wrong values for many of the security exposures that end up cropping up as a result. 

Brian Selfridge: [00:03:16] So 45% of breaches being cloud-based is not surprising to me at all. I would think it actually be a little bit higher because how many hacking attacks are really happening on on premises environments? I think it's low. I think the cloud is really the target. But anyway, we'll continue to watch that number. Now, $4.5 Million was the average cost of a ransomware attack, but that does not include the actual ransom itself and all the legal fees and everything else. But so 4.5 million, you got to figure they're probably going to pay a couple of million, the average ransomware breach. So, you know, it's very quickly going to get up into that ten plus million, I would imagine. And we'll talk a little bit later about some of the ransomware attack costs that end up in the hundreds of millions and sort of some of the case studies popping out there now. 11% of the breaches reported were a result of ransomware attacks. So that actually is a bit surprising to me that it's only 11%. You know, we keep hearing about ransomware, ransomware, ransomware. I suspect that the volume of attacks is low for ransomware as compared with breaches like lower-level phishing attacks or email compromises of an of a single user account or something like that. 

Brian Selfridge: [00:04:20] But the impact is clearly far different from a ransomware event. So one ransomware event does not equal one other smaller event. So even though we're only talking about 11% of breaches being ransomware, those breaches can be far more costly, often in the multi-millions. And again, we'll talk about some ransomware costs later. So hang in hang in tight for that piece. Now, 19% of different 19% of breaches were caused by stolen or compromised credentials. And I would know it's interesting that they pull that number out, but I would think a lot of the escalation path for many of the breaches involve stolen or compromised credentials, even if it's not the initial entry vector. $2.6 million is the average cost savings of a breach if you have an incident response plan in place, a good one, and our tabletop testing on a regular basis to make sure that plan is working. So, you know, that can get you from your 10.1 million down to seven points something or other. So everything we do to chip away and reduce the likelihood sounds like incident response planning and execution are pretty important. 277 days is the mean average time to identify and contain a breach that's actually down from 287 days. So we're getting there. It was about a year, about five or six years ago. 

Brian Selfridge: [00:05:33] It was like 365 days. The FBI said the average healthcare breach was identified and contained. So we were down to 287 last year to. Seven trending in the right direction. Hey, let's take our wins when we can. Now, some of the other takeaways, basically, we're just seeing more breaches, higher costs, and less help available from cybersecurity professionals to solve a lot of this. So let me dig into that a little bit. 60% of organizations in the study said they increased the price of their products and services as a result of their data breach, which really doesn't bode well for the healthcare industry. Right. As we're working to lower operational costs and everything else. You know, healthcare entities are also battling inflation, as we all are, as well as escalating employee salaries, shortages up and down the supply chain that aren't helping as well. So it's adding up to a tough picture. So I think we can expect to see a lot of those costs to continue to get pushed down to the consumer and the health insurance carriers by design. So so let's keep an eye on that one. Cost of everything's going up. Healthcare is no different. And 62% of organizations in the IBM report said that their security team is not sufficiently staffed. And we know we have a massive cybersecurity shortage. The government's trying to do stuff, we're trying to spin up processes. The demand is really high. 

Brian Selfridge: [00:06:49] So that doesn't surprise me. 62% saying they're not quite sufficiently staffed, although, you know, as a former. So I remember you never feel like you're staffed enough. There's never enough people to kind of keep on top of all the threats. But so I kind of take that with a grain of salt, but I think it's legit. I think that there's an actual shortage and folks need help. So the top initial attack vectors for breaches included compromised credentials, phishing cloud misconfiguration. There's that cloud topic again and third-party software or vendors and there's that topic again. They also noted in the report the top ten key factors leading to the reduction of breach cost. So if you do these things, your breaches won't sting quite as much. I'll give you a quick rundown of the top ten. One is artificial intelligence platform implementation, and I'm not quite sure what that means. I don't know if that's because IBM sponsored the report or what. But I guess wherever you can I get the number two is the Devsecops approach. Number three is the formation of an incident response team. So that's that's a big one. Extensive use of encryption. The next one, employee training expense, extensive tests of the incident response plan. Well, that goes back with number three. So number six, up to number seven is business continuity. Eight is insurance protection, nine is participation and threat sharing, and ten is identity and access management. So all those things, if you do them well, keep your breaches less costly. 

Brian Selfridge: [00:08:14] Now, in the flip side of that, they listed the top five factors contributing to higher breach costs, which include a remote workforce. Well, that's everybody, I guess. No way to put that genie back in the bottle. Number two is Iot or OT environment impacted so that if that's part of the breach three is a security skills shortage a sense of a theme there this week as well. Four is lost or stolen devices and five is third-party involvement. So gosh, great report. A lot of detail behind all that and analysis of healthcare and cross-industry factors definitely worth giving that a read-through if you can. All right. Our next update today, NIST has released new draft guidance on HIPAA compliance for covered entities to comply with the HIPAA security rule. Now, much of the guidance isn't new per se, but includes really specific and concrete guidance examples of how to interpret and align the HIPA security rule requirements, which was just something that so many people have trouble with over the years. Now we're 20 years into HIPAA, it's getting better, but these guidance materials are always good to keep everybody on the same page. One of the biggest changes in this version is that the guidance now connects the HIPA security rule items to the cybersecurity framework subcategory. So you can kind of get that mapping and understand how it plays in each part. 

Brian Selfridge: [00:09:31] I think this is a welcome addition that continues the trend of the CSF being kind of the Rosetta Stone for many of the frameworks and regulatory regulations that are being touted these days. Of course, healthcare, we care about HITRUST and some others as well, but NIST is still holding it down. So you might ask why we need clarifications of HIPAA and how to interpret it well, after decades of living with it? Well, you know, I can attest personally that there's many, many covered entities that are unknowingly or in some cases willingly misinterpreting the requirements for compliance, because there is some designed variance in the rules and how they get not how they get enforced, but what's addressable. It's required all those things. I've personally witnessed numerous examples of this in my own work as a HIPAA expert witness for OCR as well as working with our clients and interfacing with the market that way. So in fact, you know, I had a situation once where I actually lost work. I lost a project because I corrected misunderstandings to the senior leadership and compliance team of the organization about the law and how to align with it, not only from our experience, but these types of documents that NIST puts out. And. And. Remotes. And, you know, the guidance at times can be counter to what organizations either understand or sometimes require more effort and investment, perhaps the implants. So it's not always good news. 

Brian Selfridge: [00:10:54] So I've been the bearer of bad news on a couple occasions and folks didn't telling them what they didn't want to hear. And they hired somebody that told them that they did want to hear what they did want to hear, regardless of its accuracy. So so these documents are great. So, by the way, my goal in saying this is not to disparage those organizations, but rather it's just to point out that accidental and willful misinterpretations are happening all the time for organizations large and small. Now, this is focused, this updated guidance on some of the more common areas of misinterpretation, particularly around risk analysis requirements and implementation specifications for the addressable provisions, including encryption. So the NIST guidance includes key activities, descriptions and sample questions provided for each of the standards. The key activities suggest actions that are often associated with the security function or functions suggested by that standard according to the document. They say the description provides expanded explanations about each of the key activities, as well as the types of activities that are regulated entity may pursue in implementing the standard. So that's a lot of familiar language, but it really is important what is reasonable and appropriate for what your peers are doing out in the organization. That's a big way in which HIPAA is interpreted and this nice guidance supports. So I can't tell you how many times I've had to testify in cases and HIPAA cases where organizations just didn't consume or adopt guidance from HHS and NIST like this organization and they've or like this report and they've had to pay the price for years later down the road and millions of dollars of legal fees, settlement costs, civil money, penalties, and in other words, read these materials. 

Brian Selfridge: [00:12:31] They really matter. Now, I'm not going to attempt to summarize the entire guidance here. I mean, there's just so much in these publications since it's very comprehensive. But I am going to lay out some of the areas that are explained in detail. And so so here they are. So you can get a flavor for them. The first is risk assessment and risk management. This is if you do nothing else, read up on this section. It is the single most common cause of non-compliance with the HIPAA security rule. From my experience, just folks just aren't getting it. So in a nutshell, make sure your risk assessments and risk analysis, you can call them whatever you want. It's the same thing. Make sure they cover places anywhere where PHI or ePHI may exist. You have to conduct and this is really keeps coming up over and over again conduct an accurate and thorough assessment, including assessing threats, threat sources, vulnerabilities, likelihoods impact, classic risk calculations, right? So Meditology has put a ton of simplified guidance out on this topic as well. In addition to what NIST is putting out here, which is a little bit lengthier, but you can go to Meditology services on our resource center and find the blogs and webinars on risk management, risk analysis, HIPAA, it's all in there, and definitely something you want to get a handle on if you haven't already. 

Brian Selfridge: [00:13:46] All right. Back to our list of areas covered in the NIST guidance. They have documentation and templates that's always helpful. They have section around small regulated entities. So you know how you may interpret HIPA and the flexibility it gives you in a way that's appropriate for a small organization where you don't have to kind of keep up with what the larger organizations are doing. There's a section on telehealth and telemedicine guidance, mobile device security, cloud services. This is all recent stuff, right? Really good, timely guidance where certainly when HIPAA came out, it didn't have anything on cloud services or telemedicine? I don't think so. Ransomware and phishing is another section, education, training, and awareness. There's a whole section of medical device and medical Iot. There's one around protection of organizational resources and data, which includes stuff like the whole zero trust concept and all that stuff that we've heard about elsewhere. There's an incident handling, incident response section, equipment and data loss, supply chain, contingency planning, information sharing, access control, telework, and cybersecurity workforce. So I know for anybody that's running a security shop, every one of those topics is really important to try to figure out are we doing the right things to check the HIPAA box? So this is a resource for you that can help a whole lot. 


Brian Selfridge: [00:15:00] Also, be sure to read up on the difference between required and addressable implementation specifications and the HIPAA security rule. This is one that that gets a lot of organizations into trouble if it comes time to to kind of go go to bat with OCR about this stuff. So remember that addressable is in fact required for organizations where the provision is reasonable and appropriate. So that is that is really, really important to remember. Addressable does not mean optional. So for example, encryption is an addressable provision in a security role. Be careful about assumptions like that. You don't need to encrypt assets like laptops and mobile devices because that's addressable and therefore sort of optional. It's not really if that's the industry standard and what is reasonable in a. Appropriate for your organization. So it's a tough case to make these days. And encryption of laptops and mobile devices is not reasonable or appropriate in 2022. So just to close this up, NIST is going to accept comments on the publication until September 21st of this year. So you can get that feedback into NIST or let us know what you think and we can forward along your perspective as well as ours. All right. In other news, the media company formerly known as Facebook. Some of you may remember them is facing multiple lawsuits related to their screen scraping software that collected from many, many, many patient portals and healthcare Web applications, potentially in violation of HIPAA. 

Brian Selfridge: [00:16:22] As you might imagine, if you weren't sure what this is, the story is all about, definitely list. Listen to our last episode of the CyberPHIx where I give a detailed, rundown, and analysis of the big bombshell report that initially exposed Facebook's or Meta's potential misuse of sensitive health information. So one of the lawsuits alleges that Mehta violated Facebook's duty of good faith and fair dealing rules, the Federal Electronic Communications Privacy Act, and the California's Invasion of Privacy Act and Unfair Competition law. They're trying to hit them with several books. The most recent lawsuit that happened just right after the other one is a class action suit filed by an anonymous patient referred to in the suit as Jane Doe, who says that Mehta harvested her healthcare data when she was used a patient portal for UCSF Medical Center and Dignity Health Medical Foundation. The patient says that Meta used her data for profit when it allowed pharmaceutical and other companies to send her targeted advertising related to her medical conditions. So the lawsuit goes on to say Meta knows that the user data collected through its Pixel on Healthcare Defendants' website includes highly sensitive medical information, but in reckless disregard for patient privacy, continues to collect, use and profit from this information. And according to this suit, Mehta did not appear to have a hip a business associate agreement in place with the hospitals in question. 

Brian Selfridge: [00:17:42] So that's why they become named entities in the suit as well. So it's important to note that it's not just Mehta being named in these lawsuits, it is health systems themselves. So this really highlights the point that third-party compliance and breach events are very much the responsibility of healthcare entities, and they're the ones that are going to have to feel the pain through the lawsuits or through other financial damages, outages, reputational impacts, all the bad things. So we're going to continue to monitor this class action lawsuit. There's two of them now. There may end up being more. So if you believe your organization used Facebook's meta tool, then be sure to check out the blog and podcast we published on this a few weeks ago. Meditology services for some more prescriptive guidance on how to move forward. Of course, you can always call us. We're doing assessments on this type of stuff. As you might imagine, some folks are scrambling. All right. In other news, the Government Accountability Office or GAO, a government watchdog, has warned that private insurance companies are increasingly backing out of covering damages for major cyber attacks, leaving American businesses facing, quote-unquote, catastrophic financial loss, unquote, unless another insurance model can be found. So the report from the GAO outlines the elevated threats facing all industries from cyber attacks, which are well documented on this podcast. We've been talking about that a lot and the devastating cost for organizations that experience, breach and ransomware events. 

Brian Selfridge: [00:19:04] The report goes on to note that cyber liability insurance carriers are getting spooked by the high costs and are actually backing out of the market altogether in many cases, and taking other severe measures to mitigate risks, including hard line limitations on what they will and won't cover. They're raising premiums to unprecedented levels, so it's a mess. Overall, the GAO report suggests that the CIA and Federal Insurance Office undertake an assessment into whether the above factors necessitate a federal insurance response along the lines of FDIC insurance for bank deposits and the National Flood Insurance Program. These reports from GAO are consistent with our own observations and my own observations, at least of the situation, and definitely align with guidance and reporting we've been issuing on this podcast for the companies of Meditology Services and Coral Technologies Support. Overall, this is just such a big development because the shifting further burden and costs and organizations not being able to get insurance is just going to be a mess. We're going to keep watching this one, but it's clear the healthcare entities need to continue to invest and actually build and sustain robust cybersecurity risk management programs and rely less and less on the perceived safety net of cyber liability insurance. All right. I want to switch gears and talk briefly about a few specific breach events in healthcare that cropped up over the last few weeks that are worthy of note. 

Brian Selfridge: [00:20:23] The first is an admission by the massive healthcare provider Tenet that a recent cyberattack cost the organization over $100 million in Q2 of this year. The costs reportedly included lost revenue as well as mitigation costs. Tenet is one of the largest health systems in the country, operating over 400. 50 healthcare facilities in the US. So specifically in April of 2022, Tenet experienced a cyberattack that caused major disruption to its IT systems and acute care operations for several weeks running. The attack forced the staff to work with pen and paper during the recovery period, and at least one of the affected hospitals had to temporarily divert ambulances to other facilities. The attack also disrupted its phone system, with doctors forced to leave the premises to make phone calls. The cyberattack affected at least two hospitals and started on April 20. So Cheese, you can imagine how the costs start racking up from each and every one of those items. Now, Tenet reported that the cyber liability insurance covered only $5 million of the 100 plus million that it cost them. So that's a pretty impactful case study following our previous story, write on cyber liability insurance challenges. So in case you think this is an anomaly or some kind of inflated number, $100 million, that doesn't sound like it's going to hit everybody. Remember that we reported a similar breach earlier this year, an advisory from Scripps Health that cost the organization over $112 Million. 

Brian Selfridge: [00:21:48] Vermont Health was up there in the 90 million plus. So that's where we're headed, folks. Real dollars and material business impact for these breaches. Now, two other notable breaches were also reported. One involves Avamere or Health Services LLC, which is a business associate providing IT services to healthcare entities. The other is with OneTouchPoint, all one word, a company providing printing and mailing services to health insurers. These breaches are part of a massive wave of healthcare supply chain breaches that we've been reporting on extensively on this podcast and other publications from Meditology and Coral. So for more info, more info, you might want to check out Healthcare Vendor Breach Digest. We put out on a monthly basis that'll give you a rundown of the kind of all of the breaches. These are just two big ones, but it's just massive. And I can't believe how many on there are in that report every time we pull it together. The second organization well, I'm sorry, the first organization, Avamere, is a company based in Oregon that provides I.T. services to healthcare entities. They had a hacking incident that resulted in two separate report reportable breaches so far that impact nearly 100 covered entities in over 380,000 people. The second one, Wisconsin-based one touch point providing printing and mailing services is an apparent ransomware incident affecting more than three dozen of its health insurance clients and nearly 1.1 million individuals. 

Brian Selfridge: [00:23:10] So if recent history is any guide, I think we can watch out for further class action lawsuits related to these two breaches. Just any time you have that kind of number involved in the volume of impact, they're going to be folks that want to address that through these class action vehicles. So you heard that prediction here first and we'll see if the next podcast of those have launched yet. All right. Well, while we're on the topic of third-party vendor risk, the Cloud Security Alliance recently released new guidance on managing third-party cyber risk in healthcare that offers some practical and useful tips for defenders to consider. The Cloud Security Alliance. I'll just call it the CSA, if that's okay from here. Their report is organized around the cybersecurity framework using the top five functions in CSF. If you're familiar with those, identify, protect, detect, respond, recover. I think I can still remember those. So it's kind of organized in that familiar, familiar structure, which is helpful. And the bottom line that CSA says in the report is that third parties have been responsible for almost half of all data breaches. So IBM says 20%. These guys say almost half. So, you know, potato, potato. Anyway, I want to go through each of the five categories that I mentioned in some of the recommendations from the cloud security report. Just because this topic is such a big deal in getting cloud locked down. 

Brian Selfridge: [00:24:26] So the first is Identify. CSA's recommended approach to this function is to implement processes to identify new third parties and changes to existing ones. It doesn't go into detail on how to assemble the inventory. The most common approach is to work with procurement to identify what vendors are being paid. That's always a great place to start and then create vendor capture steps during new contract negotiations. The report also discusses the importance of establishing an inherent risk rating system for your vendors. So some examples for inherent risk scoring could include determining if the vendor has access to maybe the volume of what kind of data is stored in the cloud versus elsewhere. Do they use fourth parties? Find out if the vendors financially sound as well are just some ways to sort of get a handle on inherent risk. The next section they go through the protect section advises the use of risk assessments and risk treatment work against the vendor population. So there we are back to our risk analysis. Everywhere that goes needs to be in your risk assessments. So that includes third parties. Some suggestions in the paper provide for risk assessments include security control questionnaires. Financial risk evaluation of the vendor. Assessing the. Business continuity, disruption. That's a big one, right? As vendors go out for ransomware and other outages, CSA also suggests requesting that your vendors provide trusted certifications like High Trust SOC to third party conducted assessments against recognized standards like the CCF. 


Brian Selfridge: [00:25:59] So all pretty, pretty useful guidance there. The Detect section really just focuses on the need for healthcare organizations to continually monitor its vendors. So that's getting us away from just evaluating at the time of purchase and then never looking at security again. We have to get to where we're we're actually continuously monitoring. And then the respond section of the CSA report really focuses on incident response playbooks, making sure you have those in place as well as the table to tabletops that would go with those. And so that's been a theme we've talked about all episode, it would seem. And then there's the recover section of the report which in which CSA champions the term cyber resilience and which is becoming really a well-established term. I think at this point just the bounce-back ability, which was my original idea, but they went with cyber resilience, whatever bounceback-a-bility sounds nice. So anyway, their focus was on restoring systems and the services the vendor provides to the healthcare organizations and planning how to better protect against future incidents. Csa focuses on business continuity, saying that once an event has been identified, the team should actively engage vendors to identify alternative sourcing for the service provided for that vendor. So that is really big. So much is thinking, well, we'll just wait till the vendor comes back up. But quite often that can be weeks and that's not acceptable for some critical life saving services, particularly on the provider side of the house. 

Brian Selfridge: [00:27:22] Okay. Moving on to other threat news this week, just to shake things up a little bit, Microsoft reported that roughly 10,000 businesses were attacked in a month-long adversary in the middle item campaign that raked in estimated millions in financial fraud. This was a large-scale phishing attack that used sophisticated methods to avoid multifactor authentication. It doesn't sound good and bypass authentication and password requirements. So this is a pretty serious actor that has the scale to go after 10,000 businesses at once using advanced attacks, the attackers use the stolen credentials and session cookies to access affected user's mailboxes and perform what they call follow-on business email compromise campaigns for financial fraud and other attacks. So make sure your awareness and training programs and your SEC ops people are taking a look at this particular attack and the techniques that they're using. So you don't become one of those 10,000 that gets ends up with a breach. All right. Next up, the HHS Health Sector Cybersecurity Coordination Center. I never quite say that. Well, I issued an alert about an increase in Web application attacks on the healthcare sector. So I just want to highlight just the five key points from this report that I think will be useful for you. So they said that Web application attacks are conducted by financially motivated cybercriminals and state sponsored hackers. These Web app attacks are the number one avenue of breaches for healthcare attacks, according to the 2022 Verizon Breach Investigations Report. 

Brian Selfridge: [00:28:52] They also say Web application attacks target Web servers from the Internet, accessible from the Internet, and use stolen credentials to gain access to the application or exploit vulnerabilities in the application or underlying architecture. These attacks are used to conduct and gain access to sensitive information and access applications and networks for espionage or extortion. So finally, the HHS recommends that implementing Web application filters security testing and secure development testing to curb and protect against Web app attacks. So this is a bit timely for us, actually. We've pre-recorded some of these interviews and podcasts and actually just recently interviewed a gentleman at Adams from a company security innovation that does still see software development lifecycle security work. And we go into depth about web application attacks and protection. So you definitely want to stay in tune for that one. We'll release that, I believe, in two weeks. And you can give that a listen that really goes into this in-depth and is reinforced with this coincidental HHS report that came out this week. All right. In other industry news, there has been a new report issued by the Institute for Security and Technology that summarizes recommendations from a ransomware task force that the organization created in 2022. So relatively new group and new work. The report is called Combating Ransomware A Comprehensive Framework for Action. I'm going to admit upfront I wanted to share this with you because I think it's neat to see new reports that come out. 

Brian Selfridge: [00:30:21] I found this report a little bit lacking in terms of practical and useful guidance for industry practitioners that the report seems to be more geared toward recommendations for US governmental agencies to combat ransomware at their level. That said, I think it's useful to get insight into potential government action in this space and keep the conversation going in ways that we can prevent. Mitigate ransomware attacks from all angles. So if you want more specific guidance on what actual healthcare entities should do in a more prescriptive way to handle ransomware, then definitely check out our resource center on Meditology Services dot com and search for ransomware. I put a bunch of stuff up there for you from the team. All that said, some of the results of this report are recommendations they make include for goals. Goal one is deterring ransomware attacks through a nationally and internationally coordinated, comprehensive strategy. That sounds easy, except there are some wars going on that might make that a little bit tough to achieve. I'm not being a naysayer. We'll get there. All right. Goal number two is disrupt the ransomware business model and decrease criminal profits. That's a good one. Goal three Help organizations prepare for ransomware attacks. Also excellent. And go for respond to ransomware attacks more effectively. I think all very worthy goals. So I'm going to summarize there's a top five priority recommendations from the report. 

Brian Selfridge: [00:31:37] So I'll try to give you a rundown of those so you can get a sense of their approach here. So, number one, coordinated international diplomatic and law enforcement efforts must proactively prioritize ransomware through a comprehensive resource strategy, which includes carrot and stick approach to a carrot and stick approach to direct nation states away from providing safe havens to ransomware criminals. So that's really your Eastern Europe and Iran and some of the places where these big launch points are coming from. Number two, recommendation in the report is the United States should lead by example and execute a sustained, aggressive whole of government intelligence driven anti ransom campaign. There's like eight different hyphenated recommendations. There she is. So this includes establishing more agencies, more working between the groups, more task forces, yadda, yadda, yadda. Is the rest of that? If you want to read the whole thing, you can. But it just goes on and on. Number three recommendation is government should establish cyber response and recovery funds to support ransomware response and other cybersecurity activities. They should mandate that organizations report ransom payments and require organizations to consider alternatives before making payments. Number four Recommendation, of five, An internationally coordinated effort should develop a clear, accessible, and broadly adopted framework to help organizations prepare, prepare for and respond to ransomware attacks. I love that idea. I love everybody's building playbooks right now. Some sort of seems to be the trend, particularly around ransomware. 

Brian Selfridge: [00:33:05] So we've made a bunch of them in our clients have, so they're out there. But it would be nice to have a centralized resource that we could pull upon as these ransomware attacks evolve. All right. The fifth and final recommendation of the report is that the cryptocurrency sector that enables ransomware crime should be more closely regulated. Government should require cryptocurrency exchanges, crypto kiosks over-the-counter trading desks to comply with existing laws, etc., etc. Interesting report. Definitely a new angle on that. I hope some of that comes to fruition. 

Brian Selfridge: [00:33:35] All right. For our final update today, OCR has issued 11 financial penalties for covered entities for HIPAA right of access failures. These 11 penalties are part of the 38 total penalties issued by OCR for right of access violations. Over the last couple of years. This has been a major focus area for them. Recently, the HIPAA right of access provisions are really designed to make sure that patients can get timely access to the medical records, so they also give the patients the right to inspect their PHI that is held by covered entities and request copies of your records and all that stuff. Examples of non-compliance with these latest fines include records not being provided in the 30 day window required by the law. That was a big sort of theme. The delays in providing records in these latest cases ranged from several months like you didn't. You're supposed to get 30 days, but took you three months to as high as 564 days, and even in one case where the records were just never provided at all. 

Brian Selfridge: [00:34:28] So that's one way to get a fine. The amount of the fines and settlements ranged from the very, very low end of $3,500, all the way up to a quarter million dollars, 250,000. So these aren't particularly high numbers when we talk about other financial penalties from OCR and settlements, but it's clear just by the volume of cases that they're bringing that OCR continues to drive home enforcement of HIPAA, right? Of access as a top priority. So make sure you have a solid process in place if you don't already. 

Brian Selfridge: [00:34:57] And that's all for this session of The CyberPHIx healthcare security roundup. We hope this has been informative for you. We'd love to hear from you. If you want to talk about any of this, just reach out to us at [email protected]. So that's all for this week and so long. And thank you for everything you do to keep our healthcare systems and organizations safe.