Tag: cybersecurity

Webinar 3/18 | ASPR Healthcare System Cybersecurity Response

From the HHS Office of the Assistant Secretary for Preparedness and Response

Healthcare System Cybersecurity Response: Experiences and Considerations March 18, 2021 ~ 1:30-2:45 PM ET

Presenters on this webinar will discuss their experiences and tangible lessons learned in responding to cybersecurity incidents. This webinar builds upon the recently released Healthcare System Cybersecurity: Readiness and Response Considerations document and accompanying overview presentation that describes how to use the resource. The webinar will take place on Thursday, March 18, 2021 from 1:30-2:45 PM ET.

Register today!

Moderator:

  • John Hick, MD, Hennepin Healthcare Introductions:
  • Laura Wolf, Ph.D., Director, Division of Critical Infrastructure Protection, HHS ASPR Speakers (listed in alphabetical order):
  • Lisa Bazis, MS, Chief Information Security Officer, Nebraska Medicine
  • Craig DeAtley, PA-C, Director, Institute for Public Health Emergency Readiness, MedStar Washington Hospital Center
  • Dawn Straub, MSN, RN, NEA-BC, Executive Director, Nursing Professional Practice & Informatics, Nebraska Medicine

Register Now►

Cybersecurity for EMS: Combatting The Cyber Kill Chain

Cybersecurity for EMS: Combatting The Cyber Kill Chain
Watch on Facebook Live | Watch on YouTube
Recorded February 25, 2021
Speaker: Mark Campbell, Global Medical Response

Add your IT and Cybersecurity Team to AAA’s New Working Group!

AAA members, please email the name, job title, and email address of your tech leader to amanda@ambulance.org for inclusion in a new Basecamp collaborative group.

CISA Cyber Hygiene Services

Reducing the Risk of a Successful Cyber Attack

Adversaries use known vulnerabilities and phishing attacks to compromise the security of organizations. The Cybersecurity and Infrastructure Security Agency (CISA) offers several scanning and testing services to help organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors.

  • Vulnerability Scanning: Evaluates external network presence by executing continuous scans of public, static IPs for accessible services and vulnerabilities. This service provides weekly vulnerability reports and ad-hoc alerts.
  • Web Application Scanning: Evaluates known and discovered publicly-accessible websites for potential bugs and weak configuration to provide recommendations for mitigating web application security risks.
  • Phishing Campaign Assessment: Provides an opportunity for determining the potential susceptibility of personnel to phishing attacks. This is a practical exercise intended to support and measure the effectiveness of security awareness training.
  • Remote Penetration Test: Simulates the tactics and techniques of real-world adversaries to identify and validate exploitable pathways. This service is ideal for testing perimeter defenses, the security of externally-available applications, and the potential for exploitation of open source information.

Frequently Asked Questions

How much does it cost? CISA cybersecurity assessment services are available at no cost.

Who can receive services? Federal, state, local, tribal and territorial governments, as well as public and private sector critical infrastructure organizations.

When will my services begin? Vulnerability Scanning and Web Application Scanning typically begin within one week of returning the appropriate forms.

Who performs the service? Cyber Hygiene services are provided by CISA’s highly trained information security experts equipped with top of the line tools. Our mission is to measurably reduce cybersecurity risks to the Nation by providing services to government and critical infrastructure stakeholders.

Get Started

Email us at vulnerability_info@cisa.dhs.gov with the subject line “Requesting Cyber Hygiene Services” to get started.

Data Privacy

This past January, the AAA hosted a webinar presented by EMS/healthcare Attorneys Matthew Streger, Margaret Keavney, and Rebecca Ragkoski, titled Cybersecurity, Top 10 Considerations in Healthcare and How to Address Them. During this very informative webinar, Matt, Margaret, and Rebecca covered one of the biggest issues facing EMS and other healthcare providers today, data security. If you did not get chance to listen in on this program, it is available on-demand at the AAA website.

As highlighted in their webinar, data security and data breach concerns are one of the most frequently encountered issues facing EMS agencies as healthcare providers but also as employers. Ensuring that patient and employee protected health information (PHI) and personally identifiable information (PII) is adequately protected from access or intrusion is critically important.

Alabama becomes the 50th state to enact data breach requirements for all individuals and businesses in the state. The Society for Human Resource Management (SHRM) provides a great summary of the new breach requirements in several article resources published this week. The National Conference on State Legislatures is a great resource for learning the laws that apply to your organization. Of course, it is recommended that all members engage a law firm that is familiar with data security requirements both at the federal and state level.

It is critically important for EMS agencies to perform a risk analysis for all data systems. This analysis should include all third party hosted web platforms that contain or may contain PHI or PII. EMS leaders should inquire with their IT departments and all EMS leadership to identify where PHI or PII might be found. Be sure to include any incident reporting system utilized by the agency. Often these systems include information about response locations, which can include patient addresses or other PHI. Also found in many incident reporting systems is employee incident and injury data which can include PII. Be sure that these often-overlooked systems meet the security requirements detailed in the applicable federal and state data protection laws.

HIPAA and Mobile Devices: What Your Service Needs to Know

For ambulance services, HIPAA compliance is a particularly sensitive issue. Because of the sensitive nature of the health data that EMS and EMT professionals deal with on a daily basis, HIPAA Privacy and Security standards must be carefully adhered to.

This issue becomes even more sensitive when you consider that most of the data collected during pre-hospital care will likely be collected, tracked, and documented on a mobile device. Laptops, smartphones, and tablets are indispensable tools for ambulance care. Most of these devices will have access to electronic health records (EHR) platforms, which will in turn be connected to the rest of a hospital’s EHR data.

While mobile devices can provide convenience in life-or-death situations, they are also particularly vulnerable to the risk of a data breach. A data breach of unsecured health information can lead to serious HIPAA violations and put patient privacy at risk.

The kind of health information that these devices have access to is called protected health information, or PHI. PHI is any demographic information that can be used to identify a patient. Common examples of PHI include names, dates of birth, medical information, insurance ID numbers, addresses, full facial photos, and telephone numbers, to name a few.

The HIPAA Rules set specific standards for maintaining the privacy, security, and integrity of PHI. Though the regulation can seem complex, the standards are in place to safeguard PHI. As per HIPAA, ambulance services necessarily fall under the category of Covered Entities, meaning that they are responsible for maintaining compliance with both the HIPAA Privacy Rule and the HIPAA Security Rule.

These two rules set limits for how and when PHI must be stored and accessed. Below, we list a few of the major components of the HIPAA Rules that all ambulance services can implement in order to keep PHI safe and secure on the go.

  • All mobile devices that can access PHI must have full-disc encryption. Additionally, all devices should be routinely backed-up on encrypted servers. In the event that a device is lost or stolen, full-disc encryption will keep hackers or thieves from accessing sensitive health data.
  • Your organization should have HIPAA policies and procedures in place pertaining to mobile devices taken “off-site.” This would necessarily include all laptops, tablets, and smartphones with access to PHI that are used in pre-hospital care in an ambulance. By outlining when devices are permitted to be used, who is permitted to use them, and how they are to be handled in off-site settings, your organization will mitigate the risk to PHI stored on these devices.
  • Keep a full inventory of all devices within your organization that can access or handle PHI in any way. Routine check-ups on the condition and location of devices listed in your inventory will help ensure that devices are not misplaced. And in the event that a device is misplaced or stolen, organization officials will notice as soon as the inventory is reviewed so that action can be taken to remedy the breach.
  • Access to PHI on mobile devices and in pre-hospital settings should be limited only to essential members of the organization’s workforce. This is known as the Minimum Necessary Standard. It’s a part of the HIPAA Privacy Rule that states that access to PHI must be limited based on employees’ roles, and that when access is granted, it should be limited to the minimum access necessary for each employee to perform their role.

These are just a few of the ways that ambulance services can protect PHI and comply with HIPAA mobile device standards.

In addition to the actions listed above, a total compliance program that addresses the full extent of the law must be in place in order to prevent HIPAA violations and data breaches.

Addressing HIPAA compliance can help ambulance services confidently treat their patients without worrying about the risk of data breaches or government fines.

Ransomware: A Ticking Time Bomb for Health Care

By Cindy Elbert
President, Cindy Elbert Insurance Services, Inc

If you’re doing business online, you need cyber-insurance. This fact was never made truer than on May 12, 2017 when 50,000 businesses in at least 74 countries were hit by a ransomware attack code named “WannaCry”. Hackers demanded companies to pay a $300 ransom fee or their files would be published on the Internet. The data thieves targeted mostly hospitals and other medical facilities because their data not only included names, home addresses, addiction histories, financial information and religious affiliations but also disclosed patients’ mental health and medical diagnoses, HIV statuses and sexual assault and domestic violence reports. A gold mine of personal information for those with dark purposes.

Two days earlier, a data breach at the Bronx Lebanon Hospital Center in New York compromised the medical records of at least 7,000 people. According to NBC News, “Leaks from the Rsync servers, which transfer and synchronize files across systems, are common. How many more nude photos of patients or ultrasound images will be exposed because of misconfigured Rsync backups?”

On May 4, 2017, a group calling themselves TheDarkOverload uploaded almost 180,000 stolen patient/medical records from three companies onto the Internet because they refused to pay a ransom. The databases stolen were in the .csv format and contained health information about cardiac diagnoses and psychiatric conditions such as depression, along with date of birth and social security numbers.

Most ransomware attacks are led by organized criminal groups utilizing a network of computers infected with malware that then poisons other computers once a spam message is opened. An example of a spam malware would be emails falsely marked as being from a co-worker or friend asking a recipient to open an attached file. Or, an email might come from a trusted institution, like a bank or merchant, asking you to perform a specific task. In other instances, hackers will use scare tactics such as claiming that a victim’s computer has been used for illegal activities to bully victims. When the malware is executed, it encrypts files and demands a ransom to unlock them.

Imagine the nightmare scenario of medical teams out on the field relying on electronic devices such as tablets, laptops, smartphones and PDAs to access patient care records suddenly discovering that their data has been locked, captured by malicious malware., held for ransom with lives in the balance.

Companies need the protection cyber liability insurance offers now more than ever.

Why Your Company Needs Cyber Liability Insurance

  • A single data breach could cost your company thousands of dollars, not to mention the hit to your reputation.
  • Hackers can be halfway across the world—or at the desk next to you.
  • An employee losing a company laptop or cell phone could result in a major security breach.
  • The more personal information your company collects opens your exposure to the likelihood of a data breach attack.
  • As of March 28, 2017, Internet providers can collect and sell your web browser history opening more opportunities for data to be stolen.
  • The average forensic investigation runs $25,000 per server.

Cyberthreats By the Numbers

  • Sixty percent of uninsured small businesses close their doors within six months following a cyber attack.
  • According to the 2016 NetDiligence Cyber Claims study, Healthcare data breaches made up 19% of all breach sectors.
  • The average cost for a breached healthcare company is $717,000.
  • According to the Identity Theft Resource Center’s 2017 Data Breach report, almost 2 million records have been stolen so far this year, making up 22 percent of all breaches – and this is before the “WannaCry” ransomware attack.
  • Forty-seven states mandate that your company take certain measures in the event of a security breach

Protect Your Company

Ransomware attacks and cyber theft will not be defeated any time soon. So now is the time to ask: How do you store sensitive information? How do you control access to sensitive information? Do you utilize a firewall and protection software? Do you allow employees and others remote access to your data bases? Do you have a written security policy? And, most importantly, do you have cyber liability insurance? Is it safe? If your company stores customer information, especially billing and medical data, then there is no question about it: You must protect yourself from the growing legion of cyber predators. You need cyber liability insurance.

About the Author

Cindy Elbert is President of Cindy Elbert Insurance Services, Inc. She is a licensed Property & Casualty Insurance broker/agent, and a proud member of the American Ambulance Association, California Ambulance Association, Arizona Ambulance Association, and The Independent Agents Association.

Cindy has been assisting ambulance providers with their insurance needs since 1982. She understands your questions and concerns and with her relationships with insurance underwriters she can provide you with coverage and service you deserve.
www.ambulanceinsurance.com
Visit the CEIS booth at the AAA Annual Conference & Trade Show!

Ransomware Alert

A few days ago, multiple news agencies reported that there has been a large scale cyber-attack on healthcare agency networks worldwide.  The New York Times and the Washington Post reported yesterday that hackers have exploited malware that was stolen from the National Security Agency (NSA) and have executed an attack on numerous healthcare agency networks, including the Britain’s public health system.  The hackers have essentially held the system hostage freezing users from accessing data.  The cyber-attack has spread to nearly 74 countries, including India, Africa, and several in South America countries.  This cyber-attack highlights the vulnerability of many healthcare providers, including ambulance services who have become increasingly technology dependent.

If your service has not performed an Risk Analysis as required under the Security Rule by the Health Insurance Portability & Accountability Act (HIPAA), or have not performed the analysis in the last year, I suggest that you do so as soon as possible.  If members are uncertain or concerned about how they can come into compliance with the requirements of HIPAA, please contact the consultants available as part of their AAA membership.