Healthcare Cybersecurity Weekly Briefing 11-03-2017

Critical Informatics Healthcare Cyber Security

Critical Informatics Healthcare Cyber Security

NHS Cyber Attack Far More Extensive Than Thought, Says Report

The scale of the cyber-attack on the National Health Service was far larger than previously appreciated, according to a report by the spending watchdog that lays bare the health service’s poor preparation to cope with such a threat. The National Audit Office says the department was warned of the risks to its IT systems a year before the May assault, but only published a formal response to security recommendations two months afterwards. The report also discloses that every NHS trust whose cyber security arrangements were checked before the breach had failed the inspection.

 

Healthcare Cyber Security Market to Grow at the Highest CAGR According to New Research Report 2022
The service segment includes end-user spending on consulting, designing & integration, risk assessment, and training. The solution segment includes deployment of healthcare cybersecurity solutions such as breach detection, business continuity & disaster recovery, cloud & data centers, data loss protection, identity & access management, mobile devices, and risk & compliance management cyber security solutions in healthcare organizations across the globe.

 

NHS Could Have Avoided WannaCry Hack With ‘Basic IT Security’, Says Report 
The National Audit Office (NAO) said that 19,500 medical appointments were cancelled, computers at 600 GP surgeries were locked and five hospitals had to divert ambulances elsewhere. […] “It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber-threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”

 

Restoration Costs of Ransomware Attacks Triples Since 2016
Ransomware has become the new plague to run rampant through the cyber world, rising to the fifth most common malware type and causing the costs of restoring computer systems from such attacks to triple since 2016.

 

How the FDA Pushes Medical Device Cybersecurity
Released in late 2016, the guidance for post-market management is a 30-page document that lists specific vulnerabilities that companies should test, how they should go about doing that, threat reporting recommendations, and more. For instance, the document notes that changes to a medical device made solely to boost security—like a patch—are considered enhancements and don’t need to be reported.

 

EHNAC: Risk Assessments, IoT Security Crucial in Attack Mitigation
Hospitals and healthcare organizations need to keep a strong focus on their risk management and risk assessment process and ensure that any third parties or business associates also have proper security and IT risk management protocols in place, according to Electronic Healthcare Network Accreditation Commission (EHNAC) Executive Director Lee Barrett.

 

Latest WannaCry Attack Stresses Healthcare’s Need to Fortify Defenses
The task force discovered a “severe” lack of security specialists, according to Corman, with 85% or more medical organizations—particularly small, medium, and rural hospitals—lacking a single qualified security person on staff. “They have more janitors at these hospitals than they do security people,” he said.

 

What Are Basic, Essential Healthcare Cybersecurity Measures?
OCR also urged covered entities and business associates to regularly train staff members on cybersecurity issues. This can include but is not limited to employee training on phishing emails and when to report a cyber incident and to whom. Employee security awareness was the greatest healthcare data security concern for 80 percent of surveyed health IT executives and professionals, a HIMSS Analytics survey found.

 

3 Common Cybersecurity Threats to Healthcare
Many attacks on health systems are targeted: Hackers don’t just prey on a hospital to get patient data, but to get specific patient data. “At times, they are interested in a certain patient’s information, whether for blackmail or otherwise,” Kim said. “So the attacks are targeted against a specific healthcare organization because they know that John or Jane Doe frequent that institution.”

 

Hospitals, Don’t Wait to Address These Little-known IoT Security Issues
“Devices are purchased with the expectation they will last for years. However, as threats evolve, there is not always a vendor expectation to maintain these devices and provide patches,” said Ryan Spanier, director of research at Kudelski Security. “To complicate matters, many of these devices cannot be taken down for regular maintenance.”

 

HHS Continuing to Push for Healthcare Cyber Threat Sharing
[The] 2015 Cybersecurity Information Sharing Act […] called on the agency, which is tasked with protecting the health care and public health critical infrastructure sector, to stand up a Health Care Industry Cybersecurity Task Force as well as disseminate information across industry to improve the sector’s cyber posture under Section 405 D.

 

Hospital Impact—Cybersecurity Breaches Pose Major Legal Threat to Healthcare Providers
Although no loss of life has yet been reported due to one of these device vulnerabilities or ransomware attacks, it is only a matter of time until medical device manufacturers, hospital administrators and healthcare providers are sued. While insurers may seek shelter in cyber policies’ personal injury exclusions, limits and sublimits, healthcare providers may find themselves facing a new kind of malpractice claim—one that may not be covered by their usual malpractice policy.

 

What Should Entities Expect with OCR HIPAA Enforcement?
“What they’re saying about enforcement is not a sharp change because they’ve been saying it for a number of years,” Meisinger explained. “They’ve been saying, ‘We don’t have the ability to investigate every data breach in the country, but we do have the ability to make examples of people.’”

 

Stay up to date on the Healthcare Information Security news that you need to know by signing up for our Healthcare Briefing Here.

====

Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.

//]]>