HealthBlawg

David Harlow's Health Care Law Blog

    • Twitter
    • Facebook
    • LinkedIn
    • RSS
    • Email
  • About
  • Archives
  • Podcast
  • Press
  • Awards/Reviews
  • HIPAA
  • HCSM

Cybersecurity Reports and HIPAA Chat Webinar

May 24, 2017

Join me Thursday May 25, 2017 at 1 p.m. ET for the next edition of HIPAA Chat  (follow the link for free registration). David Finn, Symantec’s Health IT Officer, will be our guest, and we’ll be discussing Symantec’s recently released 2017 Internet Security Threat Report for Healthcare.

Update: Listen to this edition of HIPAA Chat right here:

Ransomware and IoT top the list for 2016 threats. Sadly, exploits that continue to wreak havoc are mostly preventable. Collectively, we need to figure out how to prioritize prevention.

David Finn is on the US HHS Health Care Industry Cybersecurity Task Force which has been looking at these same sorts of issues with a laser focus on the health care sector. The Task Force was charged under CISA to

  • Analyze how other industries have implemented strategies and safeguards to address cybersecurity threats;
  • Analyze challenges and barriers the health care industry encounters when securing itself against cyber-attacks;
  • Review challenges to secure networked medical devices and other software or systems that connect to an electronic health record;
  • Provide the Secretary with information to disseminate to health care industry stakeholders to improve their preparedness for, and response to, cybersecurity threats;
  • Establish a plan to create a single system for the Federal Government to share actionable intelligence regarding cybersecurity threats to the health care industry in near real time for no fee; and
  • Report to Congress on the findings and recommendations of the task force.

While your faithful HealthBlawger would like to be proven wrong here, he does not hold any great hopes for dramatic improvements in understanding or addressing cybersecurity issues as a result of the issuance of a point-in-time report by a task force which is then disbanded. The nature of the threat, or threats, is too dynamic. (See an old post entitled CISA: Big Brother is Watching.)

As of this writing, the task force’s report is not yet public, though we’ve seen posts about leaked copies here and here.

The task force reportedly issues about a hundred “action items,” distributed across six “imperatives”:

  1. Define and streamline leadership, governance, and expectations for health care industry cybersecurity.

  2. Increase the security and resilience of medical devices and health IT.

  3. Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.

  4. Increase health care industry readiness through improved cybersecurity awareness and education.

  5. Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure.

  6. Improve information sharing of industry threats, weaknesses, and mitigations.

It is, of course, hard to argue with these imperatives, or with many of the action items, which reportedly include:

  • Revise anti-kickback laws to allow organizations to share cyber resources
  • Phase out old, insecure technologies like “Cash for Clunkers” did in 2009
  • Through FDA regulation, build better cyber into medical devices
  • Better assure the authenticity of workers, patients, devices and EHRs
  • Think about small- and medium-sized providers who can’t afford technical resources
  • Establish and implement good “cybersecurity hygiene” across health care
  • HHS should develop educational resources
  • Ensure the protection of large data sets

The problem is that we already know what we need to do, but we are collectively not devoting the resources necessary to do a good job of hardening assets that could be targets of cyberattacks, be they in the form of ransomware or otherwise.

The recent WannaCry ransomware episode, which exploited a known vulnerability in Windows, should serve as a wake-up call to the industry, but the likelihood is that it will not.  There was a Windows 7 and and a Windows 10 patch for the vulnerability available before the exploit began. However, many healthcare institutions in the US and abroad use the older Windows XP, even though it is no longer supported by Microsoft. Microsoft made a patch available for Windows XP after the fact — but dozens of National Health Service facilities in the UK running Windows XP were already infected, and were effectively shut down by the ransomware attack (as were a multitude of other uses in over a hundred countries).

Again, we know what we need to do, but given how under-resourced and inefficient the “system” is (let’s not even start down the path of why folks are running XP years after its end-of-life) how is cybersecurity going to be funded at an appropriate level system-wide?

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Filed Under: Compliance, Digital Health, Health care policy, Health Law, Healthcare Innovation, HIPAA, Privacy, Security

you might also like:

  1. Federal Health Care Cybersecurity Task Force Issues Recommendations for Industry

  2. HIPAA Chat With David Harlow

  3. Cybersecurity and Healthcare Panel Discussion with Government and Industry Experts

« ACA Medicaid Expansion Is Not a State Budget Buster
Smile! Privacy Policy Snapshot ~ Model Privacy Notice »

Follow me on Twitter

David Harlow 💉😷 Follow 43,200 17,542

Mastodon @healthblawg@c.im #HealthCare #MedDevice #Compliance #Privacy @MyOmnipod #HIPAA #digitalhealth #HarlowOnHC #pinksocks Tweets are tweets No more no less

healthblawg
healthblawg avatar; David Harlow 💉😷 @healthblawg ·
3h 1638640040317440001

The Harlow #Healthcare #Innovation Daily #digitalhealth #hcldr #HarlowOnHC Thanks to @DigitalSalutem #digitalhealth #healthtech

Image for twitter card

Eight steps to a successful AI implementation

information-age.com OpenText outline in Information Age the eight key implementation steps to help AI and machine lear...

paper.li

Reply on Twitter 1638640040317440001 Retweet on Twitter 1638640040317440001 0 Like on Twitter 1638640040317440001 0 Twitter 1638640040317440001
Retweet on Twitter David Harlow 💉😷 Retweeted
HCNowRadio avatar; HealthcareNOWradio @HCNowRadio ·
11h 1638517571107401733

NEXT at 8:30 am ET @healthblawg speaks with Steven Lane, PCP, informaticist and CMO @HealthGorilla, who has much to say about #healthdata, data on #SDoH, the power of data to improve healthcare and more. #HarlowOnHC #QHINs https://healthcarenowradio.airtime.pro/

Image for the Tweet beginning: NEXT at 8:30 am ET Twitter feed image.
Reply on Twitter 1638517571107401733 Retweet on Twitter 1638517571107401733 3 Like on Twitter 1638517571107401733 1 Twitter 1638517571107401733
healthblawg avatar; David Harlow 💉😷 @healthblawg ·
7h 1638583863076167706

ICYMI> Lissy Hu, President of Connected Networks at WellSky — Harlow on Healthcare https://healthblawg.com/2023/01/lissy-hu-wellsky.html?utm_source=twitter&utm_medium=social&utm_campaign=ReviveOldPost #digitalhealth #hcldr #hitsm

Image for the Tweet beginning: ICYMI>  Lissy Hu, President Twitter feed image.
Reply on Twitter 1638583863076167706 Retweet on Twitter 1638583863076167706 0 Like on Twitter 1638583863076167706 0 Twitter 1638583863076167706
Load More
Follow me on Mastodon

HIPAAtools

Hipaatools

The HIPAA Compliance Toolkit

The Walking Gallery

The Walking Gallery

Quick Links

  • Home
  • Categories
  • Archives
  • Podcast Interviews
  • HIPAAtools
  • HIPAA Compliance
  • Health Care Social Media
  • Speaking
  • In the Press
  • Blogroll

David Harlow

David Harlow

HealthcareNOW Radio

Connect with David

  • Twitter
  • Facebook
  • LinkedIn
  • RSS
  • Email
  • Subscribe
  • Contact
  • Book Me: Speaking
  • About
  • The Harlow Group LLC
Copyright © 2006–2023
HealthBlawg is a publication of The Harlow Group LLC. See Copyright notice and disclaimer.
Fair use with attribution and a link is encouraged. Click for more on David Harlow.
[footer_backtotop text="Back to top" href="#"]