The CyberPHIx Roundup: Industry News & Trends, 9/23/20

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry.

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:

  • A recent patient fatality directly resulting from a cyber attack; details and analysis
  • OCR’s latest resolution agreement and $1.5m fine for a Covered Entity breach involving a third-party Business Associate
  • A ransomware recovery case study from a hospital that remains crippled for several months following the attack


Brian Selfridge: [00:00:11] Good day and welcome to the CyberPHIx health care security roundup, your quick source for keeping up with the latest cybersecurity news trends and industry leading practices specifically for health care. I'm your host, Brian Selfridge. In addition to this roundup, be sure to check out our CyberPHIx interviews with leading health care security, privacy and compliance leaders and Meditology services dot com or on your favorite podcast hosting platform, just search for CyberPHIx. So let's dive into this week's episode.

Brian Selfridge: [00:00:38] A disturbing incident was reported this week that may be the first confirmed patient fatality resulting from a cyber attack. The University of Dusseldorf in Germany was the victim of a ransomware attack a few weeks ago. On Thursday, September 10th, the university's clinic and hospital were impacted and systems were locked up. A female patient suffering from a life threatening illness had to be turned away on the night of Friday, September 11th, which is the day following the cyber attack, by the city's university hospital and died after the ambulance carrying her was diverted to another facility about 20 miles away. German authorities had contacted the attackers and made an appeal to decrypt the hospital's files and restore operations. The decryption key was actually sent, but not before the patient had expired, unfortunately. German prosecutors have opened a formal homicide investigation against the currently unidentified attackers. Now, assuming they were in coordination with the attackers, at some point, there may be a way to trace that trail back. We'll see whether or not that's viable. As of Friday, September 18th, the hospital's I.T. operations remain affected and are still unable to admit patients brought in by ambulance. The source of the specific ransomware infection was a Citrix VPN vulnerability that the hospital actually discovered in December 2019. Germany's federal cybersecurity agency issued a statement that calls on health care facilities not to delay security upgrades.

Brian Selfridge: [00:01:56] This story rips me up personally. This is the reason we get out of bed every day here at Meditology to help health care organizations avoid these types of outcomes. Those of us in the industry have known for some time that the likelihood of patient fatalities resulting from cyberattacks has been growing day by day. Medical devices, for example, have been at the top of the list of systems most likely to lead to adverse patient outcomes due to unavailable or malfunctioning devices from attacks, including ransomware. Our team here at Meditology performed an analysis earlier this year of the FDA's MAUD database relating to patient deaths reported from medical device and system issues. There are multiple instances in the MAUD database of patients dying due to devices that rebooted, froze up or were otherwise unavailable at critical junctures, including surgeries. As ransomware attacks mount and our systems remain vulnerable, I'm afraid that we may see more of these cases, like the terrible event in Germany playing out over the next several years.

Brian Selfridge: [00:02:49] In other news, on the regulatory side of things, OCR issued another fine this week to the Athens Orthopedic Clinic in Northeast Georgia. The clinic was fined $1.5 Million for violations stemming from a database of over 208,000 patient records that was exposed and posted online by malicious attacker. An attacker going by the moniker "The Dark Overlord" had compromised a vendor's access credentials in June 2016 and had access to the clinic systems into July of that year. As is commonly the case, the data breach was the reason the OCR launched an investigation and the resolutions and fines were related to multiple gaps in compliance with the HIPAA Security Rule in particular. Specifically, the resolution agreement cites issues with maintaining HIPAA policies and procedures, audit logging and monitoring practices, business associate agreement (BAA) with their third-party vendor, Quest Records LLC was not in place where the breach originated. HIPAA security and privacy training for the workforce was not in place, and our favorite, most common cited area a lack of accurate and thorough risk analysis and related corrective actions.

Brian Selfridge: [00:03:55] We discussed in our last few episodes that the new king of data breaches this year in health care is no longer lost or stolen devices and encryption per se, although that's still high on the list. But it's now all about hacking incidents. We saw that with the IBM data breach report. We saw that with those stats that OCR put out. The implication of a third-party vendor and business associate in this particular case is also a trend that we see continuing to play out as health care becomes increasingly dependent on third parties to deliver care and manage their operations. You can check out our joint presentation earlier this year with OCR that is dedicated to the third party in Business Risk Associates topic. A replay of the webinar is available at Meditology Services Dotcom in our resource center.

Brian Selfridge: [00:04:35] The last update for this week is related to another ransomware attack that has kept a New York based hospital crippled since July of this year. That's right. It's been several months, and services still have not been restored for this organization. The impacted entity is Samaritan Health Care in New York, which operates a 290-bed hospital and multiple clinics. Samaritan clinicians are still seeing patients at locations where the computer system hasn't been restored. They're advising patients to bring their most recent medication lists and any medical updates. Samaritan's online portals and smartphone applications are still not operational as well, so it's brutal to see Samaritan health care still down after all this time. So it's more than just a compliance issue you have to worry about with these ransom attacks. It's more than just patient safety, which we see in our first story. It's also about just bread and butter operations and making sure we can run a hospital system effectively and safely. And sometimes you go into multiple weeks and months where you still are not operational. And that can have a major impact on the bottom line, patient safety, care and treatment, and everything else.

Brian Selfridge: [00:05:38] We've covered the full gamut today of adverse impacts from cyber attacks, including patient deaths, severe operational impacts for health care entities and otherwise. We've spoken at length on recommendations for dealing with ransomware and attacks in our prior podcast episodes and our resource center on the Meditology website. I'll try to summarize some of the key recommendations. First and foremost, getting your incident response plan updated and tested to include modeling recent attacks like these ransomware attacks, conduct penetration testing to find those gaps like that Citrix issue and other vulnerabilities that might be lurking out there. Get to them before the bad guys do. Make sure your risk analysis processes are routine and thorough and not only addressing the OCR expectations, but truly identifying the potential risks for breach, be it ransomware, hacking attacks or otherwise. For more detailed recommendations on ransomware prevention and response, head to Meditology Services dot com. Click on our Resource Center and search for ransomware.

Brian Selfridge: [00:06:33] That's all for the CyberPHIx Health Care Security Roundup. I hope this is informative for you and love to hear from you. If you want to talk about any of this, just reach out to us at CyberPHIx at Meditology Services Dotcom. See why videos at Meditology Services dot com so long. And thanks for everything you do to keep our health care systems and organizations safe.