Categories
Health Law Highlights

Modernizing and Securing Hospital Technology Infrastructure

Summary of article from MedCity News, by Derek Grant:

The healthcare industry is undergoing a significant digital transformation, necessitating the modernization of technology infrastructure to improve patient outcomes and operational efficiency. Budget constraints and the complexity of integrating diverse systems across merged hospital networks pose significant challenges. Prioritizing security is critical, with a comprehensive strategy encompassing Zero Trust, data protection, and compliance frameworks to mitigate cyber threats. Effective data governance and the adoption of AI-based solutions can enhance decision-making, operational efficiency, and security. Ongoing cybersecurity training and a culture of vigilance are essential to protect sensitive medical data and maintain patient trust.

Categories
Health Law Highlights

Texas Judge Upholds Hospitals’ Right to Use Online Tracking Technology

Summary of article from The Record, by Suzanne Smalley:

A Texas federal judge ruled that the Biden administration’s policy to limit hospitals’ use of online tracking technology overstepped its authority. The policy, issued by the HHS in 2022, aimed to protect user privacy by warning that third-party data collection could violate HIPAA. Despite the HHS’s recent revision and warnings about the risks of technologies like Meta/Facebook Pixel and Google Analytics, the judge found that the guidance improperly extended HIPAA’s reach to data from public website searches. This decision followed a lawsuit from the American Hospital Association and other plaintiffs. The ruling underscores the complexity and extensive reach of federal regulations in modern life.

Categories
Health Law Highlights

PHI Compromised in Cyberattacks on South Texas Oncology and Hematology & Highland Health Systems

Summary of article from The HIPAA Journal, by Steve Adler:

South Texas Oncology and Hematology (STOH) in San Antonio, TX, and Highland Health Systems in Anniston, AL, have experienced significant cyberattacks, compromising the personal and protected health information of their patients and employees. STOH’s breach, detected in February 2024, affected 176,303 individuals, exposing names and medical information, while Highland Health Systems’ breach, detected in July 2023, impacted 83,543 individuals, revealing sensitive data such as Social Security numbers and medical information. Both organizations have engaged third-party cybersecurity firms, notified law enforcement, and provided affected individuals with credit monitoring services. STOH and Highland Health Systems have also enhanced their security measures, including updating security tools and implementing new protections. No evidence of misuse of the compromised data has been found to date.

Categories
Health Law Highlights

OCR Increases Focus on Phishing Attacks Against Healthcare Providers

Summary of article from Morgan Lewis, by Amy M. Magnano, Michael J. Madderra:

In response to a significant rise in phishing attacks, the US Department of Health and Human Services’ Office for Civil Rights (OCR) is emphasizing the importance of regular risk assessments and best practices to protect sensitive data. The OCR’s first phishing cyberattack settlement involved the Lafourche Medical Group, which failed to implement necessary safeguards, resulting in a breach that compromised the data of nearly 35,000 individuals. The OCR’s resolution included a $480,000 fine and a two-year monitoring period for Lafourche. Future phishing attacks are anticipated to become more sophisticated due to advancements in AI, further emphasizing the need for regular security policy updates and employee education.

Categories
Health Law Highlights

Hacking the Hippocratic Oath: Four Ways to Shield Patients from Ransomware Attacks

Summary of article from MedCity News, by Mohammad Wagas:

The healthcare industry is under increasing threat from cyberattacks, highlighting an immediate need for stronger security measures. To address this, four key strategies are recommended: enhancing analysis of security risks, fostering a cybersecurity culture among all staff, segmenting networks to limit potential damage, and ensuring robust external surface defense. Comprehensive risk analysis tools and consistent cybersecurity education for staff are imperative. Implementing a Zero Trust architecture and conducting regular security audits of third-party vendors are also key. These initiatives align with medical ethics and ensure patient safety and their trust in technology.

Categories
Health Law Highlights

Healthcare Cybersecurity: Preventing Data Breaches

Summary of article from Security Boulevard, by Rom Carmel:

The healthcare sector is facing an escalating threat from cyberattacks, with an unprecedented 725 large data breaches reported in 2023. The primary causes are system vulnerabilities, human errors, and a surge in sophisticated cyberattacks. The consequences of these breaches are manifold, including major financial burdens, significant reputational damage, and infringing patient privacy. To mitigate these risks, it’s essential to implement a robust cybersecurity infrastructure, perform regular audits and risk assessments, and provide comprehensive cybersecurity training to employees. Apono, a specialized platform, can support healthcare firms with these preventative measures, contributing to safeguarding patient data, maintaining service integrity, trustworthiness and compliance with industry standards.

Categories
Health Law Highlights

Understanding Barriers to Cyber Resilience in Healthcare

Summary of article from HealthIT Security, by Jill McKeon:

Cyber resilience in healthcare, which enables swift response and recovery from cybersecurity incidents, faces several barriers including a lack of understanding of the concept, misalignment between cybersecurity and business, and the complexity of IT systems. Research by LevelBlue reveals that 76% of healthcare organizations view cyber resilience as primarily the responsibility of cybersecurity teams, rather than an enterprise-wide priority. Budgets are often reactive, with 77% of respondents describing their budgets as such, and there is a notable lack of understanding about cybersecurity at the board level. The rapid innovation in healthcare technology, while beneficial, adds to the cyber risk, making resilience more complex. To improve cyber resilience, healthcare organizations should use reporting metrics and analysis, increase communication at the C-suite level, improve employee training, and adopt resources like the Health Industry Cybersecurity Practices (HICP) for better alignment with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).

Categories
Health Law Highlights

Tips to Shorten Healthcare’s Cybersecurity Learning Curve

Summary of article from Healthcare IT News, by Andrea Fox:

Healthcare organizations are struggling with cybersecurity, especially as threats become more sophisticated. Traditional endpoint detection and response systems are proving inadequate, with many able to be bypassed without triggering alerts. Healthcare organizations have unique blind spots due to reliance on basic security measures and a complex digital infrastructure. Artificial intelligence can aid in identifying and responding to threats in real-time, but AI is a tool, not a magic solution. Healthcare organizations and third-party vendors need to adopt advanced threat detection and response technologies, and act as a united front to better resist cyberattacks.

Categories
Health Law Highlights

Checking the Pulse: An Approach to Telehealth Privacy and Cybersecurity Due Diligence

Summary of article from Troutman Pepper, by Brent Hoard, Emma Trivax, Erin Whaley:

The rapid expansion of telehealth introduces complex privacy and cybersecurity challenges, impacting financing or acquisition decisions in the health care sector. A strategic pre-diligence review is advised to identify potential risks and regulatory environment, including HIPAA, FTC’s Health Breach Notification Rule, state-specific privacy laws, and international privacy laws. The pre-diligence review should also include an examination of the target’s privacy policy, website, and data practices. This information should then inform a comprehensive due diligence process, including the development of a request list and a framework for organizing diligence issues. Finally, a plan should be put in place to address any identified compliance risks or business issues pre- and post-acquisition.

Categories
Health Law Highlights

HHS Must Take Immediate Action to Improve Cybersecurity at Large Healthcare Organizations

Summary of article from The HIPAA Journal, by Steve Adler:

Senator Ron Wyden has called on the Department of Health and Human Services (HHS) to take immediate action against large healthcare companies to strengthen their cybersecurity practices. He has criticized HHS for its lack of regulation and oversight, particularly in light of recent cyberattacks on major healthcare organizations, such as Change Healthcare and Ascension. Wyden has recommended the development and enforcement of minimum cybersecurity standards for systematically important entities (SIEs), including resilience to cyberattacks and business continuity. He also suggested that the HHS should stress test SIEs and prioritize their audits. Moreover, he has urged HHS to provide technical assistance and guidance to smaller healthcare organizations through the Centers for Medicare & Medicaid Services (CMS)’s Quality Improvement Organizations and Medicare Learning Network programs.