Category Archives: Healthcare

DHS Cyber Incident Response Plan Focuses on Infrastructure Risk

The National Cyber Incident Response Plan describes how stakeholders in numerous areas can properly react to cybersecurity threats.

The Department of Homeland Security released a refreshed version of its National Cyber Incident Response Plan (NCIRP), with a strong focus on how the US can react to cybersecurity threats to critical infrastructure.

The NCIRP as previously published on September 30, 2016, with a national engagement period that went until October 31, 2016.

“The NCIRP describes a national approach to dealing with cyber incidents; addresses the important role that the private sector, state and local governments, and multiple federal agencies play in responding to incidents and how the actions of all fit together for an integrated response,” the US Computer Emergency Readiness Team (US-CERT) stated on its website.

Public and private partnerships are critical to address major cybersecurity risks to critical infrastructure, the NCRIP executive summary explains. Furthermore, the plan “sets common doctrine and a strategic framework for national, sector, and individual organization cyber operational plans.”

Several guiding principles outlined in the Presidential Policy Directive (PPD)-41 also helped DHS and other agencies create the NCRIP:

  • Shared responsibility
  • Risk-based response
  • Respecting affected entities
  • Unity of governmental effort
  • Enabling restoration and recovery

“While steady-state activities and the development of a common operational picture are key components of the NCIRP, the Plan focuses on building the mechanisms needed to respond to a significant cyber incident,” according to the NCRIP.

The plan also differentiates between a “cyber incident” and a “significant cyber incident.” The former is when the “confidentiality, integrity, or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident” are potentially jeopardized.

Significant cyber incidents on the other hand are events that potentially result in “demonstrable harm” to national security interests, foreign relations, US economy, public confidence, civil liberties, or public health and safety.

The DHS Office of Cybersecurity and Communications will also conduct and oversee NCIRP reviews and maintenance in coordination with the DOJ, Office of the Director of National Intelligence, and Sector Specific Agencies.

“The revision process includes developing or updating any documents necessary to carry out capabilities,” the NCIRP explained. “Significant updates to the Plan will be vetted through a public-private senior-level review process.”

The Healthcare Information Management Systems Society (HIMSS) previously commented on DHS response plan, saying it supported the overall principle of cybersecurity education and readiness being shared responsibilities.

HIMSS did point out that all dimensions of potential cybersecurity threats should be considered. For example, IT infrastructure and assets can exist in terrestrial, sea, air, and space. The NCIRP should therefore address all dimensions to help create a flexible response plan.

“The complexity of threat and asset response may be significantly compounded, especially when multiple dimensions are in play— including in the private and public sectors (e.g., underwater data centers, undersea Internet cables, satellite communications, and over-the-air communications),” HIMSS wrote to DHS.

HIMSS also said in its October 2016 letter that a better definition of what qualifies as a cyber incident was necessary. Large cyber threats that could potentially impact public health and safety are a top concern for HIMSS, the organization explained. HIMSS said it is already working to ensure that the healthcare industry understands how to properly prepare for such threats.

“As the federal government’s decision to fund two grants for the NH-ISAC indicated, coordination across the healthcare community is becoming increasingly important in the fight against cyberattacks,” the letter stated. “Collaboration with the NH-ISAC and other stakeholders, particularly on threat identification and incident mitigation, will have a significant impact on public health and safety.”


HIPAA/HITECH Compliance – What Is the HITECH Act?


Not sure what the HITECH Act is all about? If you’re new to HIPAA compliance and related concerns, here’s a quick overview.

Summary of HITECH Act

HITECH stands for the Health Information Technology for Economic and Clinical Health. The HITECH Act was created in 2009 to encourage the adoption and “meaningful use” of electronic health records (EHR) and supporting technology in the U.S. This act was part of the American Recovery and Reinvestment Act (ARRA) economic stimulus bill. The HITECH Act initially offered financial incentives to providers who demonstrated “meaningful use” of EHRs. Later stages of the implementation of the act included penalties for providers who did not meet these requirements.

The HITECH Act also modified HIPAA. One of the ways it did so was by requiring covered entities to notify individuals whose protected health information (PHI) has been compromised. Additionally, it increased the fines that could be applied for noncompliance (up to $1,500,000); it authorized state Attorney Generals to bring actions to enforce violations of HIPAA; and it expanded portions of HIPAA to apply to business associates of covered entities and required the federal Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) to audit both covered entities and their business associates.

Present and Future of HITECH Act

Many features affected by the HITECH Act are currently under debate, including changes to the definition of “meaningful use” of EHRs, cybersecurity issues, and interoperability issues.

As of April of this year, proposed new federal regulations may bring an end to the electronic health records “meaningful use” incentive program portion of the HITECH Act. This portion would be replaced with a simplified program. Concerns raised about these proposed changes state that they fail to address threats to cyber security from hackers and ransomware, a topic of real concern as healthcare providers have been under increased attack this year.

The proposed changes would also affect payment mechanisms for physicians, attempt to fight both information blocking, and would replace the current “meaningful use” program with the “advancing care information” category. As the HHS explains, this category would focus on interoperability and information exchange, and in contrast to the existing program, would not require and all-or-nothing approach to measuring the quality of EHR use. (For more on the proposed changes, see Healthcare Info Security’s in-depth article on the impact on security of Medicare’s new physician payment plan.)

Check out some of the technology that is coming your way for HEALTH:

The medical community really needs to pay attention to the new HIPAA/HITECH compliance rules.  This new rule is really going to affect the smaller healthcare groups that do use compliance today.


Hackers demand ransom payment from Kansas Heart Hospital for files

WICHITA, Kan. A hospital held hostage by hackers and denied access to its files until it pays a ransom. It’s a crime that’s been reported across the country, and now it’s happened in Wichita.

It’s called “ransomware” – hackers hijack your computer and hold the data until you pay up.

The Kansas Heart Hospital is the latest victim of this attack.

The hospital’s president, Dr. Greg Duick, says the hackers never got access to patient information, but the attack did cause problems.

“Kansas Heart Hospital had a cyber attack occur late Wednesday evening,” Duick said. “We suspect, as attacks other parts of the country, this was an offshore operation,” he said.

Duick says hackers holding hospital files hostage is very common.

“Upwards of 45% of hospitals have received some kind of cyber attack. And multiple hospitals had additional attacks,” he said.

About 9pm Wednesday, a hospital employee lost access to files.

“It would be like you’re working on your computer and all of a sudden, your computer says, sorry can’t help you anymore,” Duick said. “It became widespread throughout the institution.”

Hackers got into the system, and locked up the files, refusing to give back access unless the hospital paid up.

“I’m not at liberty because it’s an ongoing investigation, to say the actual exact amount. A small amount was made,” Duick said.

But even after the hospital paid, the hackers didn’t return full access to the files. Instead, they demanded another ransom. The hospital says, it will not pay again.

“The policy of the Kansas Heart Hospital in conjunction with our consultants, felt no longer was this a wise maneuver or strategy,” Durick said.

The hospital was aware that an attack like this might happen, and it did have a plan

“That plan went into immediate action. I think it helped in minimizing the amount of damage the encrypted agent could do,” Durick said.

“The patient information never was jeopardized and we took measures to make sure it wouldn’t be,” he said.

Durik also says the attack never impacted patient treatment and will help the hospital strengthen its response to future hackers.

Ransomware is so common that many hospitals, Kansas Heart, have insurance to help cover costs of cyber extortion.

The hospital is working with it’s IT team and security experts restore the rest of the system.

Hospitals have become a favorite target of the ransomware scam. Earlier this year 10 Medstar facilities in the Washington region were part of a cyber attack that prompted the health care provider to shut down it’s computer system.

Also in February a California hospital paid $17,000 in ransom to regain access to its medical records.



Ponemon Institute Reports Healthcare Data Under Attack by Criminals.

Results from the Ponemon Institute’s Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data have confirmed what many in the healthcare industry had suspected and even feared: 65% of the healthcare organizations participating in the study had experienced electronic information-based security incidents over the past two years. In addition, some 87% of third-party vendors, identified by HIPAA as Business Associates (BAs), reported a data breach in the last two years.

More disturbing is the revelation that for the first time in the history of the study, criminal attacks are the number one cause of data breaches in healthcare. The number of criminal attacks on healthcare organizations and business associates has increased 125% compared to five years ago. According to the study, more than 90% of the healthcare organizations taking part had experienced a data breach, and 40% of the respondents had experienced more than five data breaches over the past two years.

No healthcare organization, no matter its size, is impervious to these attacks. And they are certainly not immune to the side effects of a breach.

The rapid growth of data breaches in the healthcare industry is putting health information at risk at an alarming rate. Moreover, it’s expensive—for all concerned. According to the Ponemon Institute study, “…the average cost of a data breach for healthcare organizations is estimated to be more than $2.1 million…the average cost of a data breach to BAs represented in this research is more than $1 million.”

The study’s findings also reveal that 45% of the healthcare organizations surveyed reported the occurrence of a Cyberattack indicated the source of the attack was criminal, while 12% cited the work of malicious insiders. 39% of the BAs reported breaches caused by criminal attackers while 10% attributed the attacks to malicious insiders.

The study described an increase in Web-borne malware attacks, citing 78% of the healthcare organizations surveyed as having experienced security incidents caused by malware; 82% of BAs had suffered security incidents attributed to malware.

Perhaps one of the most shocking data points reported is that in spite of the increased criminal activity and the rapidly evolving threat environment, the majority of healthcare organizations indicated implementing no changes to what they’re doing or how they’re doing it. Only 40% of healthcare organizations and 39% of BAs surveyed expressed concern about cyberattacks.

Other Findings Giving Cause for Increased Cyber security Measures

Policies and Procedures in Place

The survey results clearly illustrate the reality that healthcare organizations and the BAs with whom they work need to invest more in technologies that allow them to respond quickly to data breaches. While 58% of healthcare organizations responding agreed that they have policies and procedures in place that allow them to detect a data breach quickly and efficiently, fewer than half believe they have sufficient technologies in place to do so — and only 33% were confident they have the resources needed to prevent or quickly detect a data breach. Responses of BAs participating in the survey fell along similar lines. 50% of business associates responding stated that they have the policies and procedures in place to prevent or detect a security incident, while fewer than half believe they have sufficient technologies. Lastly, only 41% of BAs stated that they have adequate resources to be able to identify and repair data breaches.

Top Concerns of Respondents

The research also revealed interesting insights relating to the top concerns of survey respondents. While the number of criminal attacks on healthcare organizations and business associates has increased 125% compared to five years ago (and 45% of the organizations surveyed traced data breaches to criminal activity) only 40% of the respondents were most concerned about Cyberattacks as a security threat. BAs were even less immediately worried with only 35% citing Cyberattacks as a top concern. Here’s an overview of what they reported being most concerned about:

Source: The Ponemon Institute’s Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data

The security threats BAs worry about most:

Source: The Ponemon Institute’s Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data

How Attacks Are Discovered

Among other key findings detailed in the Poneman report are the statistics relating to how health organizations have uncovered the security attacks. 69% learned of a data breach through an audit or assessment, while 44 % were discovered by an employee. 30% of data breaches were reported by patients, 23% were uncovered accidentally, and 18%came from a legal complaint. Law enforcement was responsible for 6 % of the discoveries and loss prevention teams for 5%.

Source: The Ponemon Institute’s Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data  

Business associates reported different statistics, with 60% of data breaches reported as being uncovered by employees and 49% discovered as a result of audit or assessment. BAs said 33% were found accidentally, 21% through a legal complaint, 17% from a patient complaint, 13% from loss prevention teams, and 12% by law enforcement.

Source: The Ponemon Institute’s Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data


The findings of the Ponemon Institute survey paint an alarming picture: the healthcare industry, which manages vast amounts of personal data, is under attack by criminal elements and jeopardized by employee negligence, as well as the actions of malicious insiders. The number of data breaches is growing exponentially, and both healthcare organizations, and the business associates who serve them lack sufficient technologies, resources, and processes to ensure data is kept secure.

The report details a slow but steady increase in technologies used by both healthcare organizations and their business associates to detect and mitigate the impact of cybersecurity threats, but concludes that the pace of the investments in both technologies and security expertise is not sufficient at this time.

In conclusion, the Ponemon Institute calls for intensive employee training and awareness programs, ramped up investments in technologies and security expertise, and a broad application of innovative solutions to the industry to improve the current status of the privacy and security of the nation’s healthcare data.


Looking to improve cybersecurity? Fire some CEOs

Great Article by Bill Siwicki

Running security and IT under a CFO or chief administrative officer is bound to be problematic because they typically lack a technology background. One expert’s alternative: Empower CIOs and all employees to innovate a culture of security.

MansurHasibhitnThere’s a big problem thwarting cybersecurity today and it has to do with people – those at the top specifically, according to Mansur Hasib, a cybersecurity professor at the University System of Maryland.

“Many executives have taken the view that cybersecurity is control of people, limiting people’s use, essentially telling people they are dumb, that they cannot use technology, that their ability to load software on their computers will be disabled,” said Hasib, who wrote the books “Cybersecurity Leadership” and “The Impact of Security Culture on Security Compliance,” and earned a doctorate in cybersecurity from Capital Technology University in Laurel, Md. “Most companies run IT and cybersecurity where IT professionals live in these hallowed halls and they do not share knowledge.”

As part of his doctoral dissertation on cybersecurity in 2013, in fact, Hasib conducted a national study across a wide swath of organizations in the U.S. and found that half of healthcare entities operate IT and cybersecurity efforts through non-IT officers such as the CFO or the chief administrative officer.

Further, one-third of healthcare organizations have no CISO and one-fifth have no plan to hire a CISO anytime soon. He said this is an enormous problem for healthcare cybersecurity today.

Hasib will speak at The HIMSS and Healthcare IT News Privacy & Security Forum, May 11-12, 2016, in Los Angeles, California.

“Anthem, which had the biggest security breach in healthcare, runs IT through its chief administrative officer,” Hasib said. “These executives, with their MBA backgrounds, have no clue about IT and security, so why is this person in charge of it? Yes, they have a CIO, but no real CIO should work for a CFO or CAO. If I am a CIO and I am not reporting directly to the CEO, then I am not a CIO.”

That problem starts in graduate schools, Hasib said, where the lack of focus on IT or cybersecurity is partially responsible for what London Business School researcher and professor Gary Hamel determined, which is that innovation and productivity in the U.S. are half of what they were in 1972.

Individuals and employees, on the other hand,  are armed with greater access to technology than they have ever had. Today’s mobile phones and tablets, for instance, effectively democratize IT by putting it in just about everyone’s hands. As a result, the concept of technology run by a privileged few no longer works.

“That’s why there is a massive failure – the trust divide between executives and the common people,” Hasib explained. “Employees realize they do not have access or a role. But the reality is everyone handles data and technology, therefore the ultimate cybersecurity posture of any organization depends on people. Behavior of people determines ultimate success.”

Hasib learned about that massive failure when Anthem breached his own health data. And because of Anthem’s reporting structure, Hasib has a cure to the company’s cybersecurity woes that is blunt. “In order to improve cybersecurity, fire some CEOs,” he said. “If any CEO thinks their CFO can run their IT and cybersecurity, then that CEO does not belong in the CEO role.”

Hasib went on to say that the reason there has been such a decline in innovation in America – innovation by employees that is needed to bolster cybersecurity – is because Corporate America has put leaders on an anointed pedestal.

“We think authority is leadership, but it is not – knowledge is leadership,” he said. “Every one of us has some knowledge we can use to guide others in whatever it is we know. Leadership is guiding someone to a purpose, usually where that person wants to go. Management is forcing someone to go where you want that person to go. It is much better to inspire people and lead them to where they want to go.”

As such, any C-suite officer can inspire values in employees throughout an organization, values that in the case of cybersecurity can include, for example, loyalty, trust and innovation.

“A company that does not have the loyalty of the people in its organization will never have cybersecurity,” Hasib said. “Great companies have a culture where they allow people to take risks – and understand innovation by itself has risk.”

Hasib cited as an example a nuclear power plant he studied. Needless to say, safety was a value its leaders promulgated throughout the organization.

“There, safety is the culture,” he explained. “Every employee is incentivized. Their business is based on how many hours they can go without a safety incident. In healthcare, does any organization give incentives for how many days without data loss? You can certainly have a goal of zero data loss, that is easy enough. What if you rewarded people for that? Everything is negative today, and people are not excited about negative stimulus. Leaders should give people incentives and reward innovation.”

Cybersecurity must indeed be about continuous innovation, Hasib added. Without innovation, an organization will never have cybersecurity, and it’s people who create a culture of innovation.

Hasib will speak at The HIMSS and Healthcare IT News Privacy and Security Forum, May 11-12, 2016, in Los Angeles, in a session titled “Healthcare USA: How to Create a Human Firewall,” May 11 from 1:45-2:30 p.m. Register here

Twitter: @SiwickiHealthIT
Email the writer:

Internet of Things sparks healthcare cybersecurity concerns, HIMSS16 speaker says

As connectivity continues to expand, cybersecurity should be top of mind for CIOs, CISOs and other hospital executives, according to Eric Miller of Ascension.

medicaldevicehitn_0The Internet of Things is set to explode. Forecasters expect more than 6 billion objects connected to the Internet this year and some expect 50 billion by 2020. But with connectivity comes risk.

For healthcare providers trying to leverage what is emerging as the IoT for healthcare – that growing universe of wearable sensors, networked devices and home monitoring systems deployed to collect medical data and even treat patients – ineffective cybersecurity can have potentially dangerous consequences.

“The Internet of Things is different from the Internet of Things for healthcare in terms of risk,” said Eric Miller, senior director of IT at Ascension Information Services.

Miller pointed to a recent initiative in which white hat hackers working with the Mayo Clinic were easily able to hack into numerous connected medical devices, including an infusion pump that delivers drugs and fluids into patients.

One of the hired hackers, in fact, was able to connect an infusion pump to his computer network and manipulate the dosage remotely.

Miller and Paul Unbehagan, chief architect of Avaya, will discuss technologies that enable the security of connected devices and how providers can recognize and mitigate these cyber security risks during a HIMSS16 session on March 1, 2016.

“Our goal is to show how to reduce the risk from connected medical devices in a manageable way,” Miller added. “There’s a process side to it and a technology side, and we will discuss both,” Miller said.

The session will cover how providers can get a handle on the number and types of Internet of Things for healthcare devices connected to their network; how to apply risk models to device classifications in order to clarify the threat level; how to implement automation to manage the security of the growing number of connected devices; how to evaluate inventory management options against existing technologies; and how to create an implementation plan.

“We want attendees to leave this session with an understanding of how to improve their risk posture for the existing Internet of Things for healthcare as well as the connected devices to come,” he said.

The Internet of Healthcare Things” will be held Tuesday, March 1, from 1 – 2 p.m. PST in the Sands Expo Convention Center Human Nature Theater.