HITEQ Health Center Behavioral Health Integrator Badge
Health centers are increasing the integration of behavioral health in primary care, spurred by an increased focus on whole person care and additional funding. Effective use of health IT in conjunction with patient privacy and confidentiality is imperative to support behavioral health.

According to the Office of the National Coordinator, "Health information technology can help to improve behavioral health care and can further enable care coordination and integration, increase information sharing, and support prevention, treatment, and recovery activities. Access to and the exchange and use of behavioral health information as part of routine care can help to improve continuity in care services and support efforts toward achieving an interoperable health care system across the continuum."

Take some time to read through some of the articles on this page and then fill out the submission form on the right and you will be rewarded with a Health Center Incredible Behavioral Health Integrator badge! This is an official badge that is submitted by the HITEQ Center as a proof of completion to the blockchain. Your credentials can be added to profiles such as LinkedIn and verified through accreditation services such as Accredible and Open Badge.

https://hiteqcenter.org/Services/Badges-Self-paced-Learning/Behavioral-Health-Integrator

 

Ransomware Alert and Guidance for Health Centers
HITEQ Center
/ Categories: Privacy and Security, Privacy & Security Best Practices, Security Risk Analysis, Breach Mitigation & Response

Ransomware Alert and Guidance for Health Centers

Updated 10/29/2020 with Ransomware Alert Notification and Documentation from CISA

Introduction

Ransomware is a type of malware that takes control over a computer or computer system by encrypting all the data on the drive. The data is then held at ransom until a predetermined cost is paid. Due to the use of cryptocurrencies (e.g., bitcoins) for payment it is difficult to track those demanding the ransom making it tough to prosecute.

Problem Statement

A rapid increase in the computerization of health care organizations, many without the capacity to keep up to date with the extensive privacy and security measures required, has made them targets for cyber-criminals. In the last couple of years there have been numerous ransomware attacks that has held critical hospital data at ransom.

Health Centers may be perceived as more vulnerable targets by cyber-criminals due to a potentially smaller IT staff and older set of IT infrastructure (e.g., operating systems without latest security updates). To make things worse, a decrease in the black market price of health data has increased hackers needs to pursue ransom from further providers.

Recent Alerts and Examples in the News

Ransomware Activity Targeting the Healthcare and Public Health Sector - Alert (AA20-302A)

https://us-cert.cisa.gov/ncas/alerts/aa20-302a

Ransomware Protection Strategies from the Cybersecurity and Infrastructure Security Agency (CISA)

https://www.us-cert.gov/ncas/current-activity/2019/09/06/ransomware-protection-strategies

WannaCry Ransomware Alert

- https://www.us-cert.gov/ncas/alerts/TA17-132A

Security report - Nearly 90 percent of ransomware attacks target healthcare

http://www.hiewatch.com/news/security-report-nearly-90-percent-ransomware-attacks-target-healthcare

Ransomware Transmission

  • E-mails posing as legitimate business or tempting links
  • Trojans acting as update requests
  • Anti-Virus programs patches and updates
  • Windows system updates
  • False “You’ve got a virus” notifications
  • Gaining access by exploiting known network or security software vulnerabilities

Ransomware & HIPAA Implications

OCR states that whether or not the presence of ransomware would be a breach under the HIPAA Rules is a fact-specific determination. A breach under the HIPAA Rules is defined as, “…the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.” See 45 C.F.R. 164.402.6

When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.

Unless the covered entity or business associate can demonstrate that there is a “…low probability that the PHI has been compromised,” based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. The entity must then comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the Secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements. See 45 C.F.R. 164.400-414.

 

Find links and further documentation below

Print
50677
Tags: SRAransomwarebreachbasicsintroductionWannaCryUS-Certcybersecurity defenderincident response
Intended Audiencehealth center IT staff, CIO, Health Center Staff, Health Center Leadership, threat intelligence

Documents to download

Resource Links

  • Ransomware Protection Strategies from CISAThe Cybersecurity and Infrastructure Security Agency (CISA) has observed an increase in ransomware attacks across the Nation. Helping organizations protect themselves from ransomware is a chief priority for CISA.
  • HIS Talk WannaCry Threat Intelligence BriefingDuring this webinar, John Gomez (a healthcare focused cybersecurity researcher) will provide an in-depth analysis of the current state of wannacry as well as a technical review of how it operates and possible go-forward cybersecurity impacts. John will also present technical and regulatory counter-measures you should consider, specific to healthcare organizations.
  • Archived webinar from HIMSS on Preventing and Dealing with Ransomware Attacks: How to Keep Your Data SafeThe recent global ransomware attacks have revealed weaknesses in many organizations’ security plans. The global nature of the attacks demonstrate how easy it is for criminals to target health records for either profit or malicious reasons. And it confirms that the danger of cyber-attacks will not end any time soon. This webinar, presented by noted ethical hacker Kevin Johnson, will provide insight into how hackers identify vulnerabilities and provide specific advice to help you prepare a line of
  • HIMSS Learning Center recording of the presentation called Protecting Medical IoT Devices: Lessons Learned from WannaCry and NotPetyaAs WannaCry and NotPetya have demonstrated, connected medical devices in operation today were not designed with security in mind. In fact, many were not initially designed to be networked and certainly not exposed to the Internet. EMR and other initiatives have accelerated the need to network medical devices at the risk of security exposure. With traditional IT security solutions unable to secure connected medical devices, there are no easy answers to address the risk to the millions of devices
  • A link to the Healthcare IT News article titled "SamSam ransomware hackers still targeting healthcare, HHS warns"The destructive ransomware strain SamSam is still pummeling the healthcare sector, and hackers using it have hit at least eight separate targets in the government and healthcare sectors this year, according to an alert from the U.S. Department of Health and Human Services.
  • SamSam Ransomware Guidance from the United States Computer Emergency TeamThe Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and the Federal Bureau of Investigation (FBI) are issuing this activity alert to inform computer network defenders about SamSam ransomware, also known as MSIL/Samas.A. Specifically, this product shares analysis of vulnerabilities that cyber actors exploited to deploy this ransomware. In addition, this report provides recommendations for prevention and mitigation.

Related Resources

HRSA Center of Excellence for Behavioral Health Technical Assistance

HRSA Center of Excellence for Behavioral Health Technical Assistance

The HRSA Center of Excellence for Behavioral Health Technical Assistance (COE for BHTA) helps grantees integrate substance use and mental health (behavioral health) services in primary care settings.

Focus: PHI

Focus: PHI

Patient privacy and confidentiality form a crucial component of the patient-doctor treatment relationship, particularly when seeking treatment for mental health or substance use disorders. Multiple federal privacy laws, in addition to state laws, provide privacy protections for mental health and substance use disorder treatment records, while permitting communication of these records to other healthcare providers, patients’ families, and others.

Behavioral Health Integration Compendium

Behavioral Health Integration Compendium

Many health centers collaborate with external behavioral health providers or provide co-located or integrated behavioral health services within their health center. Some of the most significant challenges are determining which data to share, how to store it within the Electronic Health Record, and how to use it within primary care. This compendium of literature and resources offers some guidance related to behavioral health data integration, complete with key health center considerations for each.

RSS

Badge Submission Form