HITEQ Health Center Cybersecurity Defender Against the Dark Web

Health Centers are being inundated by an unprecedented surge in cybersecurity incidents that are having detrimental effects on healthcare worldwide. New, sophisticated threats seem to appear on a daily basis. Most importantly, these threats are primarily being targeted and spread through end users (vs health IT systems) through social engineering and phishing attack methods. 

Healthcare cybersecurity is the ultimate team sport. The responsibility goes beyond the IT staff and includes front and back office staff, doctors and nurses, patients, executives, and the board of directors. These resources are directed at all levels of the healthcare organization so that they may be proactive and aware and help to defend Health Centers against the Dark Web.

Take some time to read through some of the articles on this page and then fill out the submission form on the right and you will be rewarded with a Health Center Defender Against the Dark Web badge! This is an official badge that is submitted by the HITEQ Center as a proof of completion to the blockchain. Your credentials can be added to profiles such as LinkedIn and verified through accreditation services such as Accredible and Open Badge.

 

Ransomware Alert and Guidance for Health Centers

51969
Ransomware Alert and Guidance for Health Centers

Updated 10/29/2020 with Ransomware Alert Notification and Documentation from CISA

Introduction

Ransomware is a type of malware that takes control over a computer or computer system by encrypting all the data on the drive. The data is then held at ransom until a predetermined cost is paid. Due to the use of cryptocurrencies (e.g., bitcoins) for payment it is difficult to track those demanding the ransom making it tough to prosecute.

Problem Statement

A rapid increase in the computerization of health care organizations, many without the capacity to keep up to date with the extensive privacy and security measures required, has made them targets for cyber-criminals. In the last couple of years there have been numerous ransomware attacks that has held critical hospital data at ransom.

Health Centers may be perceived as more vulnerable targets by cyber-criminals due to a potentially smaller IT staff and older set of IT infrastructure (e.g., operating systems without latest security updates). To make things worse, a decrease in the black market price of health data has increased hackers needs to pursue ransom from further providers.

Recent Alerts and Examples in the News

Ransomware Activity Targeting the Healthcare and Public Health Sector - Alert (AA20-302A)

https://us-cert.cisa.gov/ncas/alerts/aa20-302a

Ransomware Protection Strategies from the Cybersecurity and Infrastructure Security Agency (CISA)

https://www.us-cert.gov/ncas/current-activity/2019/09/06/ransomware-protection-strategies

WannaCry Ransomware Alert

- https://www.us-cert.gov/ncas/alerts/TA17-132A

Security report - Nearly 90 percent of ransomware attacks target healthcare

http://www.hiewatch.com/news/security-report-nearly-90-percent-ransomware-attacks-target-healthcare

Ransomware Transmission

  • E-mails posing as legitimate business or tempting links
  • Trojans acting as update requests
  • Anti-Virus programs patches and updates
  • Windows system updates
  • False “You’ve got a virus” notifications
  • Gaining access by exploiting known network or security software vulnerabilities

Ransomware & HIPAA Implications

OCR states that whether or not the presence of ransomware would be a breach under the HIPAA Rules is a fact-specific determination. A breach under the HIPAA Rules is defined as, “…the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.” See 45 C.F.R. 164.402.6

When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.

Unless the covered entity or business associate can demonstrate that there is a “…low probability that the PHI has been compromised,” based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. The entity must then comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the Secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements. See 45 C.F.R. 164.400-414.

 

Find links and further documentation below

Documents to download

Previous Article COVID-19 and CYBER SECURITY RISKS
Next Article Promoting Cybersecurity Awareness for Patients
Intended Audiencehealth center IT staff, CIO, Health Center Staff, Health Center Leadership, threat intelligence

Health Center Defender Against the Dark Web Badge Confirmation