Categories
Health Law Highlights

Healthcare Organizations at Risk of Data Breach Due to Insecure File Sharing Practices

Summary of article from HIT Consultant, by Fred Pennic:

A resent report highlights significant vulnerabilities in healthcare organizations’ data security practices, particularly concerning insecure file sharing. Key findings reveal that 25% of publicly shared files and 68% of externally shared private files contain Personally Identifiable Information (PII), while 77% of internally shared private files also include PII. Additionally, many organizations fail to update or remove access permissions, increasing security risks. The consequences of these practices include rising data breaches, substantial financial impacts from ransomware attacks, and potential compliance violations with HIPAA and GDPR regulations. The report also notes the risk to financial data, such as credit card information, stored in insecure files. To mitigate these risks, healthcare organizations must adopt robust data loss prevention (DLP) solutions and data security tools to ensure proper handling and sharing of sensitive information. Metomic emphasizes the need for these tools to prevent data leaks and protect both patient information and organizational integrity.

Categories
Health Law Highlights

Balancing Act: Industry Concerns Over CISA’s Proposed Cyber Incident Reporting Rule

Summary of article from Bradley Arant Boult Cummings LLP, by Sinan Pismisoglu, Eric Setterlund:

The proposed cyber incident reporting rule by the Cybersecurity and Infrastructure Security Agency (CISA) aims to enhance national cyber defenses but has raised concerns about its broad scope and potential overreporting, which could overwhelm CISA with low-value data. Industry groups, particularly in manufacturing and healthcare, worry about the rule’s impact, citing increased compliance burdens and potential disruptions. Recommendations to address these issues include narrowing the rule’s scope, harmonizing reporting mechanisms, providing support to smaller entities, and tailoring requirements to specific industry needs. The debate highlights the need for a balanced approach that strengthens cybersecurity while ensuring practical compliance for businesses. Collaboration between CISA and industry stakeholders is essential to refine the rule and achieve this balance.

Categories
Health Law Highlights

HHS and FBI Release Joint Cybersecurity Advisory Statement for Healthcare Providers

Summary of article from Morgan Lewis, by Amy M. Magnano, Michael J. Madderra, Roshni Edalur:

The Department of Health and Human Services (HHS) and the Federal Bureau of Investigation (FBI) released a joint cybersecurity advisory (CSA) to alert healthcare providers about phishing attacks and the associated tactics used by threat actors. The advisory emphasizes the importance of updating security measures, including the implementation of multi-factor authentication and enhanced IT Help Desk training to combat social engineering attacks. It also recommends securing remote access tools and testing security programs against outlined threat behaviors. The CSA provides specific indicators of compromise and suggests proactive steps to mitigate risks. Morgan Lewis offers guidance and best practices to help healthcare entities navigate these cybersecurity challenges.

Categories
Health Law Highlights

Data Privacy in Healthcare: Balancing Innovation with Patient Security

Summary of article from Healthcare IT Today, by Ganesh Nathella:

The integration of digital technologies in healthcare has improved patient care but also raised significant data privacy concerns. Healthcare organizations are investing in robust data protection measures as they adopt tools like telemedicine and remote monitoring. Emerging technologies such as blockchain, AI, and IoT offer solutions but also introduce new security challenges. Compliance with regulations like HIPAA and GDPR is critical, though fragmented global standards complicate this. Balancing innovation with patient security is essential for maintaining trust and advancing healthcare.

Categories
Health Law Highlights

Healthcare Groups Say Cyber Rule Should Explicitly Name Insurers, Vendors

Summary of article from Healthcare Dive, by Emily Olsen:

Healthcare and hospital groups are urging the Cybersecurity and Infrastructure Security Agency (CISA) to explicitly include insurers and third-party vendors in its proposed cybersecurity reporting rule, citing the interconnected nature of the healthcare sector and the potential widespread impact of cyber incidents. The rule, which mandates reporting of cyber incidents within 72 hours and ransom payments within 24 hours, currently does not specify sector-specific criteria for these entities. Industry groups argue that the exclusion could leave significant vulnerabilities unaddressed, as demonstrated by the recent cyberattack on Change Healthcare. They also express concerns over the stringent reporting timelines and the additional burdens they could impose, particularly on under-resourced hospitals. These groups are calling for more flexibility, financial support, and technical assistance to ensure effective incident management without compromising patient care.

Categories
Health Law Highlights

Texas Retina Associates Cyberattack Affects 312,000 Patients

Summary of article from The HIPAA Journal, by Steve Adler:

A cyberattack on Texas Retina Associates, the largest ophthalmology practice in Texas, has compromised the sensitive data of 312,867 patients. The breach, which occurred from October 8, 2023, to March 27, 2024, exposed personal information including names, addresses, Social Security numbers, and medical details. Texas Retina Associates has since secured its systems, enhanced cybersecurity measures, and provided additional training to its staff. Notifications are being issued to affected individuals as a precaution, and a helpline has been established for further assistance. The practice has not mentioned offering complimentary credit monitoring or identity protection services.

Categories
Health Law Highlights

Report Reviews Updates on Health Cybersecurity and Ransomware

Summary of article from Robinson & Cole LLP, by Linn F. Freedman:

The Health Sector Cybersecurity Coordination Center (HC3) has recently issued two critical alerts for the healthcare sector. The first alert, dated June 18, 2024, concerns Qilin (also known as Agenda Ransomware), a ransomware-as-a-service (RaaS) that targets healthcare organizations through spear phishing and other tools, employing double extortion tactics. The second alert, issued on June 27, 2024, highlights a critical vulnerability in the MOVEit file transfer platform, urging healthcare organizations to promptly patch the identified improper authentication processes to prevent exploitation. Progress, the platform’s owner, has released patches, but the vulnerability remains actively targeted by cyber threat actors. HC3 emphasizes the urgency of addressing these threats to protect against data loss and compromise.

Categories
Health Law Highlights

5 Best Practices for Achieving Healthcare Cloud Compliance

Summary of article from Pro IT Today, by Christopher Tozzi:

Healthcare organizations can ensure cloud compliance by adopting several key practices. Implementing a zero trust security strategy is essential to protect sensitive data by granting access only when necessary. Educating cloud engineers about specific compliance requirements and using cloud data loss prevention (DLP) tools to detect and secure sensitive information are also crucial steps. Additionally, considering on-premises storage for highly sensitive data and opting for simpler cloud architectures can help minimize compliance risks. These measures collectively support the secure and compliant management of healthcare data in cloud environments.

Categories
Health Law Highlights

Healthcare Scores a B for Cybersecurity

Summary of article from The HIPAA Journal, by Steve Adler:

SecurityScorecard awarded the U.S. healthcare industry a B+ cybersecurity rating for the first half of 2024, despite significant breaches, including a major ransomware attack on Change Healthcare. The study assessed the top 500 publicly traded healthcare companies, revealing a mean security score of 88. Medical device manufacturers and suppliers had the lowest security scores within the sector, largely due to their extensive attack surfaces. Key areas for improvement include application security, DNS health, and network security, with common issues such as weak SSL/TLS protocols and outdated web browsers. Recommendations for enhancing security emphasize third-party risk management and improved application and endpoint security practices.

Categories
Health Law Highlights

Cyber Attacks on Health Care Up 136% Last Year

Summary of article from Medical Economics, by Grace Koennecke:

In 2023, the US experienced a significant rise in data breaches, with 3,205 incidents reported, marking a 78% increase from 2022. The healthcare industry saw a 136% increase in data breaches, affecting 56 million individuals, while the financial services sector experienced a 177% rise, impacting 61 million people. The Identify Theft Resource Center recommends the healthcare sector adopt stronger breach notice laws and improve vendor due diligence to mitigate cyber threats.