Privacy & Security
The public platform, DTSec, contains a set of security performance requirements to prevent cyberattacks and data breaches.
Ransomware attackers collect ransom from Kansas hospital, don't unlock all the data, then demand mo…
Kansas Heart Hospital declined to pay the second ransom, saying that would not be wise. Security experts, meanwhile, are warning that ransomware attacks will only get worse.
The cyber-threats are increasingly hitting healthcare organizations with great effectiveness, and the OCR is preparing to assist executives seeking to better protect their data and systems.
Healthcare organizations are dealing with an epidemic of threats to the security of electronic health records (EHR). From breaches to ransomware to employee data violations, securing healthcare data while meeting data privacy compliance demands is under a heightened threat level.
Rise of the healthcare epidemic
There’s a perfect storm of events that are causing an increase in cybercrime: national laws and policies have encouraged healthcare organizations to move to EHR (98 percent of hospitals in US); available technology to ease the transition to EHR; and high value for EHR on the black market (FBI Cyber Division Private Industry Notification #140408-009, 8 Apr. 2014, puts the value at $50 for each partial EHR).
In addition, there is increased pressure to innovate to stay competitive by delivering differentiated services. Healthcare organizations are now leveraging technology and information systems to reduce costs, improve the quality of care and make it easier for patients to be proactive in their own healthcare. This has revealed new capabilities for healthcare staff to do their jobs more efficiently, but with every technology advancements comes the challenge of ensuring that technology is easy to use, reliable and secure.
While cyber criminals are a growing threat as seen by the recent ransomware debacles, it can’t be the only area of focus to protect EHR. In the recent 2016 State of Data Security and Compliance Report published by Ipswitch, Inc, more than 500 IT professionals (91 in healthcare organizations) from around the world were surveyed about their data security policies. Those in healthcare organizations that identified as having experienced a significant data loss noted that only 20 percent was due to malicious activities, while 45 percent was due to human error and 35 percent due to process or network failure. Interestingly, in that same report only 34 percent in healthcare reported their organization as very efficient in identifying risks and 42 percent as very efficient in mitigating risks.
No silver bullet to protect EHRs
There’s general agreement in the IT community that given the complexity of modern healthcare technology there is no silver bullet for EHR data protection. Employee behavior is a critical risk, including loss of personal devices without adequate access control or EHR data encryption, and their unknowing participation in social-engineering exploits. And while more than 80 percent of hospitals in the U.S. have electronic medical records (EMR) systems (4567 of 5627) that offer protection of EHR, there’s continued need to securely send and receive EHR to externally. EHR is increasingly vulnerable when in-motion outside of protected healthcare infrastructure.
HIPAA/HITECH identifies IT controls to protect data including encryption, network perimeter defense, effective access control and employee training, and yet data loss is a growing trend. A deputy CISO from a large healthcare organization at the recent Secure World Conference in Boston said that his primary focus is no longer on HIPAA compliance. It’s just a given that any new technology they consider must comply. He’s now more interested when talking with technology vendors about their capabilities to help identify and mitigate risks.
To learn more, join the upcoming HIMSS Media webinar, Combatting the Epidemic of Healthcare Data Threats with John Houston, VP Information Security & Privacy, UPMC (University of Pennsylvania Medical Center). During the webinar, you’ll learn:
What are the essential IT controls to protect healthcare data-in-motion?
What are tips and tricks to cost-effectively pass your next audit?
What are practical strategies including automation to cost-effectively reduce data loss?
Which file transfer and sharing technologies help or hurt your data protection?
For additional resources to learn how you can protect your EHR data-in-motion visit
https://www.ipswitch.com/resources/case-studies/rochester-general-relies-on-moveit-to-transfer-medical-records-and-meet-hippa-hitech-compliance
The CERT Division of Carnegie Mellon's Software Engineering Institute has released its list of 10 technologies emerging in the next five years with the greatest vulnerabilities in terms of cybersecurity, finance, personal health and safety.
Valita Fredland most recently served as chief privacy officer and counsel at IU Health. In her new post, Fredland will serve as vice president, general counsel and privacy officer.
New species of the malicious code are found in the wild on a regular basis. Here are some of the newest types of ransomware.
Cybersecurity special report: Ransomware will get worse, hackers targeting whales, medical devices …
Cybercriminals have set their sights on healthcare. Ransomware is the new normal. And many providers are approaching security all wrong. CIOs, CISOs, ethical hackers and other experts point the way forward.
IBM plans to launch a cloud-based version of Watson's cognitive computing technology, designed solely to zero in on cybersecurity language, as a part of a year-long research project, the company announced Tuesday.
The Watson for Cyber Security platform is touted as the first technology to offer cognition of security data. Watson will pull the majority of its cognitive data from the X-Force research library: a threat intelligence platform with 20 years of security research, details on 8 million spam and phishing attacks and more than 100,000 documented vulnerabilities.
"Even if the industry was able to fill the estimated 1.5 million open cybersecurity jobs by 2020, we'd still have a skills crisis in security," Marc van Zadelhoff, general manager of IBM Security said in a statement. "The volume and velocity of data in security is one of our greatest challenges in dealing with cybercrime."
[Also: IBM Watson offers free storage to Apple ResearchKit developers]
Beginning in the fall, IBM will also collaborate with eight universities to expand the amount of security data the company has already inputted into the platform. California State Polytechnic University, Pomona; Pennsylvania State University; Massachusetts Institute of Technology; and New York University are among the institutions who will work with IBM to contribute to Watson's training.
The students will also train Watson on cybersecurity language, while working close with IBM's security experts to learn how to read security intelligence to gain first-hand experience in cognitive security.
IBM plans to process up to 15,000 security documents – threat intelligence reports, cybercrime strategies, threat databases – each month over the next training stages in collaboration will all stakeholders.
Watson for Cybersecurity will not only provide insights on any emerging threats, it will also make recommendations on how to stop them. Additionally, the system will use data mining techniques to find outliers. IBM will begin beta production deployments later this year.
"By leveraging Watson’s ability to bring context to staggering amounts of unstructured data, impossible for people alone to process, we will bring new insights, recommendations and knowledge to security professionals," said van Zadelhoff, "bringing greater speed and precision to the most advanced cybersecurity analysts, and providing novice analysts with on-the-job training."
A healthcare attorney spotlights big problems and offers advice on ways to navigate around the pitfalls, from cybersecurity insurance to HIPAA, social media to patient access.