Healthcare Cybersecurity Weekly Briefing 7-28-2017

Critical Informatics Healthcare Cyber Security

Critical Informatics Healthcare Cyber Security

Security A Business Priority For Providers, Not Just A Compliance Concern

Since enforcement of HIPAA privacy and security rules began last decade, providers’ focus has been on being compliant with the regulations, he says. But those regulations didn’t anticipate ransomware and many other threats to protected health information that providers confront today. As a result, providers would be well-served to stop thinking HIPAA is a check-the-box exercise, Selfridge contends.

HITRUST CSF Certification Now Includes NIST Cybersecurity Certification

A driver behind this broader growth is found in HITRUST’s support for an organization’s attestation of compliance with the NIST CSF. With the release of HITRUST CSF v9, a single CSF assessment will include the controls necessary to address the NIST CsF requirements and an addendum to the HITRUST CSF Assessment report has been added to display the HITRUST CSF controls through the lens of the NIST CsF Core Subcategories.

Congressional Task Force Issues Report On Cybersecurity In The Health Care Industry

The Report also criticizes the overwhelming number of regulatory bodies involved on both the federal and state level, observing it has led to overly-complicated and confusing requirements and laws. Given that technology is outpacing the laws and regulations, the task force laments that there are a number of laws and regulations that “impose a substantial legal and technical burden on health care organizations, without having a material impact on reducing risks.”

Hospitals Need To Be Better Prepared For A Cyberattack Against The Nation’s Power Grid

The threat of a large-scale disruption to power means hospitals and state regulators need to do more to ensure providers can maintain critical functionality, according to a report published by the National Academies of Sciences, Engineering, and Medicine. “Given the nature of the system, there is simply no way that outages can be completely avoided, no matter how much time and money is devoted to such an effort,” the authors wrote. “The system’s reliability and resilience can be improved but never made perfect.”

Life-or-Death Decisions: How Do We Safeguard Healthcare IoT?

As with many IoT devices, security is often seen as an inhibitor to application and services development, with security and privacy practices evolving as “bolt on” features, long after the device ecosystem was designed. This is both costly and dangerous. In an effective healthcare IoT development ecosystem, devices themselves, along with the services, cloud infrastructure and applications they interact with, need to have clear infosec, identity and privacy controls embedded from the beginning. To achieve this, full data lifecycle analysis needs to be completed, along with the correct level of risk mitigation and protection.

Healthcare Organizations Are Underestimating Cybersecurity Risks

“Healthcare payers and providers are on treacherous ground here and some organizations are underestimating cybersecurity risks,” said KPMG healthcare advisory leader Dion Sheidy. “There needs to be a higher degree of vigilance among boards and executive suites as attacks become much more sophisticated, especially as doctors need to share information to improve quality and as connected medical devices and wearables proliferate.”

Malware In Medicine: Prevention Is Key To Protection

The theft of personal data is not, therefore, the major threat in this age of cyber insecurity. More dangerous are ransomware attacks like WannaCry, which can shut down hospital services and destroy patient records. According to Dr Yaraghi, some hospitals are laying in stocks of bitcoin to pay off attackers in the case of a ransomware attack, implying that encrypting and backing up patient data are understood within the health care community to be insufficient.

HIT Think Why IoT Security Is Everyone’s Responsibility 

The dangers are clear: device breaches can compromise patient safety and privacy and also provide an entry point for attackers to access health systems’ networks. While every security expert on earth wishes there was a silver bullet that could eliminate cyber risks, no such “one size fits all” solution exists. Regardless of our role in the delivery of healthcare, cyber threats affect all of us, which means that everyone—regulators, device manufacturers, providers and even patients—has a responsibility to help mitigate risk.

How Hospitals Can Shore Up Cybersecurity On A ‘Skinny’ Budget

“The reality is that if you need someone, the best way to do that is to get a vendor who is able to recommend the needed technology and other security needs,” said Lovejoy. Providers should look toward vendors with a healthcare-focus that are able to provide the necessary security evaluations.

NY Hospital Spent Nearly $10M Recovering From Massive Cyberattack

About half of that amount is for computer hardware, software and assistance needed in the response. The other half represents a combination of increased expenses, such as for staff overtime pay, and lower revenues from the loss of business during the system down time. That’s just the costs related to the incident. Going forward, medical center officials also anticipate an ongoing additional expense of $250,000 to $400,000 a month for investments in upgraded technology and employee education to harden its computer system defenses to reduce the risk and impact of future attacks.


Stay up to date on the Healthcare Information Security news that you need to know by signing up for our Healthcare Briefing at:


Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.