1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

HHS Issues Quick Response Cyber Attack Checklist

Last month, after the WannaCry ransomware attack infected 230,000 computers in 150 countries, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a “Quick-Response Checklist” for HIPPA covered entities and business associates to follow when responding to a ransomware attack or other “cyber-related security incident,” as that phrase is defined under the HIPAA Security Rule. 45 C.F.R. 164.304.

Checklist Recommendations

The checklist provides four recommendations:

  1. Execute the response and mitigation procedures and contingency plans. Entities should immediately fix any technical or other problems to stop the incident and take steps to mitigate any impermissible disclosure of protected health information (either done by the entity’s own information technology staff, or by an outside entity brought in to help).
  2. Report the crime to other law enforcement agencies. This includes state or local law enforcement, the FBI, or the Secret Service. The OCR makes clear that any such report should not include protected health information (unless otherwise permitted by the HIPPA Privacy Rule).
  3. Report all cyber threat indicators to federal and information-sharing and analysis organizations (ISAOs). A cyber threat indicator is defined under federal law as information that is necessary to identify malicious cyber activity. The US Department of Homeland Security, the HHS Assistant Secretary for Preparedness and Response, and private-sector cyber-threat ISAOs are all identified as acceptable information-sharing organizations under the new checklist. The OCR, however, makes clear that it does not receive reports from its federal or HHS partners.
  4. Report the breach to OCR as soon as possible, “but no later than 60 days after the discovery of a breach affecting 500 or more individuals.” Entities should notify “affected individuals and the media unless a law enforcement official has requested a delay in the reporting.” The OCR also presumes that all cyber-related security incidents where protected health information was accessed, acquired, used, or disclosed are reportable breaches unless the information was encrypted by the entity at the time of the incident or the entity determines, through a written risk assessment, that there was a low probability that the information was compromised during the breach. An entity that discovers a breach affecting fewer than 500 individuals has an obligation to notify individuals without unreasonable delay, but no later than 60 days after discovery. And the OCR must be notified within 60 days after the end of the calendar year in which the breach was discovered.

In the end, the OCR states that it considers “all mitigation efforts taken by the entity during any particular breach investigation,” including the voluntary sharing of breach-related information with law enforcement agencies and other federal and analysis organizations, as outlined in the checklist.

Takeaways

The OCR’s checklist makes clear that preparing for, and responding quickly to any potential breach should be a priority for HIPPA covered entities and their business associates. This includes preparing or updating enterprise wide incident response plans, training leadership, implementing effective governance programs, and having the ability to rapidly mobilize a response to malicious activity. Dentons’ global Privacy and Cybersecurity Group, in conjunction with Dentons’ leading healthcare practice, has extensive experience helping entities prepare and execute such plans and dealing with the rapidly changing legal and regulatory landscape that emerges in the aftermath of a security incident.

Dentons is the world’s largest law firm, a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner, and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral Network. Dentons’ global Privacy and Cybersecurity Group operates at the intersection of technology and law, and was recently singled out as one of the law firms best at cybersecurity by corporate counsel, according to BTI Consulting Group.  

HHS Issues Quick Response Cyber Attack Checklist

NIST Plans To Examine Internet of Things (IoT) For Its Cybersecurity Framework

The National Institute of Standards and Technology (NIST) is holding a Cybersecurity Framework Workshop this week at its headquarters in Gaithersburg, Maryland. The purpose of the workshop is to discuss issues related to its widely used Cybersecurity Framework. Sessions at the workshop are being livestreamed, and are exploring the extraterritorial application of the NIST framework, sector-specific requirements, and uses for small businesses.

One closely watched workshop being held today is entitled “Cyber Meets the Physical World,” and is intended to examine how the NIST framework can be applied to the Internet of Things (IoT) sector:

The diverse use and rapid proliferation of connected devices – typically captured by the “Internet of Things (IoT)” – creates enormous value for industry, consumers, and broader society. At the same time, emerging threats, such as last year’s Mirai DDoS attacks, highlight the critical need to develop and apply guidance to maintain the cybersecurity of devices and the ecosystems into which they are deployed. NIST is seeking feedback on how the Framework may be applied to the IoT, both in terms of the devices themselves, as well as their integration into broader enterprise and network environments. Topics in this breakout may include: existing IoT definitions and taxonomies and their consistency with the Framework; IoT specific threats and constraints; sector-specific considerations for IoT security; and the integration of IoT – specific threats into the Framework model.

NIST’s focus on IoT at its workshop this week comes on the heels of its new draft NIST cybersecurity guidance on securing wireless infusion pumps in the healthcare industry. NIST is accepting public comment on the new draft guidance through July 7, 2017.

NIST’s focus on the IoT sector also comes as the IoT sector is coming under greater regulatory scrutiny in the US. In 2015, the US Federal Trade Commission (FTC) issued guidance encouraging certain best practices in the IoT sector. In January 2017, the FTC brought its first enforcement action against a computer networking equipment manufacturer for failing to undertake what the FTC considers reasonable steps needed to secure wireless routers or IP cameras from “widely known and reasonably foreseeable” risks of unauthorized access by failing to proactively address “well-known and easily preventable security flaws.” And in California, a new bill is being considered by the California legislature (Cal. Senate Bill 327) that would impact the manufacturers and sellers of IoT connected devices by requiring them to:

  • Equip the device with reasonable security features appropriate to the nature of the device and the information it collects, contains or transmits;
  • Design the device to indicate to the consumer when it is collecting information;
  • Obtain consumer consent before the device collects or transmits information;
  • Provide an explicit privacy notification to the consumer about what data is collected by the device; and
  • Directly notifies consumers of security patches and updates intended to make the device more secure on an ongoing basis.

If you or your business is engaged in the IoT space, the Dentons Privacy and Cybersecurity Group can help you navigate the growing regulatory environment and understand and implement the new NIST framework standards, as they are developed and adopted. We will also continue to monitor the NIST / IoT developments and report any further developments coming out of the NIST conference this week.

NIST Plans To Examine Internet of Things (IoT) For Its Cybersecurity Framework

HHS Plans To Launch Cybersecurity Center Focused On Medical App Security

The US Department of Health and Human Services (HHS) announced on April 20 that it plans to launch a cybersecurity initiative modeled on the US Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) that will be aimed at educating healthcare organizations and consumers about the risks of using mobile applications and data. The new center, which will be called the Health Cybersecurity and Communications Integration Center (HCCIC), is intended to be a collaborative effort between public and privacy industry. A similar cybersecurity initiative is being developed by the Centers for Medicare & Medicaid Services (CMS).

Chris Wlaschin, the chief information security officer for HHS, says this type of collaborative center is needed because approximately 50% of US healthcare organizations lack the adequate tools to deter and manage cyber breaches. As mobile health applications become more prevelant, the HHS sees the HCCIC as an opportunity to help developers secure patient data.

The new HHS center represents a continual effort by the federal government to address healthcare app cybersecurity. In December 2016, the FDA released guidance on “Mobile Medical Applications.” The HHS Office of Civil Rights and Federal Trade Commission  have also launched online resources for medical app cybersecurity. And HHS’s Health Care Industry Cybersecurity Task Force recently submitted a draft report to Congress that laid out six “imperatives” for lawmakers and executive branch officials to consider when seeking to secure patient data, including security surrounding applications.

If you or your company is developing, or has implemented a medical app, the Dentons Privacy and Cybersecurity Group can help you navigate this constantly developing federal landscape. We will also provide further updates as the HCCIC becomes operational this summer.

HHS Plans To Launch Cybersecurity Center Focused On Medical App Security

NIST Releases Draft Guidance On Securing Wireless Infusion Pumps In The Healthcare Industry

On May 8, 2017, the National Institute of Standards and Technology (NIST), through its National Cybersecurity Center of Excellence (NCCoE), released a new draft NIST Cybersecurity Practice Guide (SP 1800-8) entitled “Securing Wireless Infusion Pumps in Healthcare Delivery Organizations.” The purpose of the new guidance is to address the security flaws in external infusion pumps in the healthcare industry, and provide engineers and IT professionals a roadmap for how they can securely configure and deploy wireless infusion pumps by using “standards-based commercially available technologies and industry best practices[.]” NIST Cybersecurity Practice Guides (Special Publication Series 1800) target specific cybersecurity challenges in the public and private sector, and are intended to serve as practical, user-friendly guides that facilitate the adoption of standards-based approaches to cybersecurity. They do not describe regulations or mandatory practices. Nor do they carry statutory authority. NIST is accepting public comment on the new draft guidance through July 7, 2017.

Overview Of Draft Guidance

Infusion pumps are defined by the FDA as a medical device that delivers fluid into a patient’s body in a controlled manner. Once standalone instruments that interacted with the patient or medical provider only, infusion pumps are now connected to a variety of systems and networks, contributing to what NIST calls the Internet of Medical Things (IoMT). This new connectivity brings with it benefits and challenges. Although connecting fusion pumps to point-of-care medication systems and electronic health records can improve the healthcare delivery process, it can also create significant cybersecurity risk that could lead to operational or safety risks. Specifically, tampering with the wireless infusion pump ecosystem can expose a healthcare provider to:

  1. Access by malicious actors;
  2. Loss or corruption of enterprise information and patient data and health records;
  3. A breach of protected health information;
  4. Loss or disruption of healthcare services; or
  5. Damage to an organization’s reputation, productivity, and bottom-line revenue.

Key Takeaways From New Draft Guidance

The new guidance is written from a how-to perspective, providing details on how to install, configure and integrate components. It is therefore primarily intended for professionals implementing security solutions within a healthcare organization, such as biomedical, networking and cybersecurity engineers and IT professionals who are responsible for securing and configuring wireless infusion pumps. The new guidance maps out the security characteristics of wireless infusion pump ecosystems to currently available cybersecurity standards and the HIPAA Security Rule, and applies “security controls to the pump’s ecosystem to create a ‘defense-in-depth’ solution for protecting infusion pumps and their surrounding systems against various risk factors.”

NIST claims organizations will, if they adopt the new guidance:

  • Reduce cybersecurity risk, and potentially reduce impact to safety and operational risk, such as the loss of patient information or interference with the standard operation of a medical device;
  • Develop and execute a defense-in-depth strategy that protects the enterprise with layers of security to avoid a single point of failure and provides strong support for availability; and
  • Implement current cybersecurity standards and best practices, while maintaining the performance and usability of wireless infusion pumps.

A copy of the draft guidance is here. If you or your business are interested in submitting public comments in response to the new draft guidance, the Dentons Privacy and Cybersecurity Group can help. We are also prepared to assist your organization in navigating the new draft guidance and securing your networked devices against the constantly evolving threat landscape.

 

NIST Releases Draft Guidance On Securing Wireless Infusion Pumps In The Healthcare Industry

FBI Warns Cyber Criminals Are Targeting Unsecured FTP Servers In The Healthcare Industry

On March 22, 2017, the FBI issued a Private Industry Notification, warning that criminal actors are actively targeting File Transfer Protocol (FTP) servers operating in “anonymous” mode and associated with medical and dental facilities to “access protected health information (PHI) and personally identifiable information (PII) in order to intimidate, harass, and blackmail business owners.” FTP’s are used to transfer information between various parties. When an FTP is placed in anonymous mode, it allows a user to authenticate the FTP server with a common username such as “anonymous” or “ftp” without submitting a password or by submitting a generic password or e-mail address.

The FBI warns that cyber criminals could use an FTP server in anonymous mode to store malicious tools or launch targeted cyber attacks. Therefore, “any misconfigured or unsecured server operating on a business network on which sensitive data is stored or processed exposes the business to data theft and compromise by cyber criminals who can use the data for criminal purposes such as blackmail, identify theft, or financial fraud.”

The FBI recommends medical and dental healthcare entities request their respective IT services personnel to check networks for FTP servers running in anonymous mode. If businesses have a legitimate use for operating a FTP server in anonymous mode, administrators should ensure sensitive PHI or PII is not stored on the server.

The FBI encourages businesses to report information concerning suspicious or criminal activity to their local FBI office or the FBI’s 24/7 Cyber Watch.

A copy of the notification can be found here.

 

FBI Warns Cyber Criminals Are Targeting Unsecured FTP Servers In The Healthcare Industry