Healthcare Cybersecurity Weekly Briefing 5-5-2017

Protecting Healthcare Operations from Cyber Liability

“Ensuring adequate security precautions to protect health information, including identifying any security risks and immediately correcting them, is essential,” the Office for Civil Rights at the U.S. Department of Health and Human Services said. “Although OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine,” the agency said. In other words, the loss of the data alone was sufficient to warrant sanctions.


The Vulnerability & Safeguarding of the Healthcare Tech Sector from Cyber Attack

Individuals or organizations with queries or other necessities pertaining to the healthcare sector are looking towards the internet and digital technology for the sake of convenience and time saving. However, along with the ease that these technologies offer, there is a sinister threat of cyber-attack making the hospitals along with the entire healthcare sector increasingly vulnerable. In a larger and more holistic context security encompasses the physical as well as cyber security. Cyber security in particular entails protecting the data and systems from cyber threats like cyber terrorism, cyber warfare, and cyber spying to name a few.


Ransomware, Cyberespionage Dominate Verizon DBIR

The DBIR, an analysis of more than 40,000 incidents (including 1,935 breaches) investigated by Verizon, shows that cybercriminals targeted manufacturing, the public sector and education the most, but Verizon senior network engineer Dave Hylender said the healthcare industry was hit the hardest with ransomware. “Organized criminal groups continue to utilize ransomware to extort money from their victims, and since a data disclosure in these incidents is often not confirmed, they are not reflected in statistical data,” Verizon wrote.


Cybersecurity Taskforce Seeks New Security Framework, Exemption to the Stark Law

These include a new cybersecurity framework specific to healthcare and amendments to the Physician Self-Referral Law (Stark Law) and the Anti-Kickback Statute to allow healthcare organizations to assist physicians with cybersecurity. These, along with other imperatives set out in the report, would “help to increase awareness, manage threats, reduce risks and vulnerabilities, and implement protections not currently present across a majority of the health care industry.”


This sort of thing, unfortunately, is happening to health care providers of all types and sizes.

Behold, the spear phish that just might be good enough to hook you.

One variation started with an e-mail threatening a lawsuit because a visitor got sick after eating at one of the company’s restaurants. To increase the chances the attached Microsoft Word document is opened, the attackers personally follow up with a phone call encouraging the recipient to open the booby-trapped file and click inside. The attacker calls back a half-hour later to check if the recipient has opened the document. The attacker immediately hangs up in the event the answer is yes.


Stay up to date on the Healthcare Information Security news that you need to know by signing up for our Healthcare Briefing at:


Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.