Call to actionI recommend hospital leadership sit-down with the "Security" Office and "Privacy" Office; walk through this simple 8 pages. If ANYTHING in the 8 pages is surprising; then you have a big problem on our hands. There is NOTHING in this 8 pages that should be surprising. This fact-sheet should be viewed by hospital leadership just like a contracted penetration report, except this is more well written. For example This quote from an HHS article:"Your Money or Your PHI: New Guidane on Ransomeware"
The new guidance reinforces activities required by HIPAA that can help organizations prevent, detect, contain, and respond to threats, including:
- Conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and establishing a plan to mitigate or remediate those identified risks;
- Implementing procedures to safeguard against malicious software;
- Training authorized users on detecting malicious software and report such detections;
- Limiting access to ePHI to only those persons or software programs requiring access; and
- Maintaining an overall contingency plan that includes disaster recovery, emergency operations, frequent data backups, and test restorations.
Ransomeware is a Privacy Breach
Some of the other topics covered in the guidance include: understanding ransomware and how it works; spotting the signs of ransomware; implementing security incident responses; mitigating the consequences of ransomware; and the importance of contingency planning and data backup. The guidance makes clear that a ransomware attack usually results in a “breach” of healthcare information under the HIPAA Breach Notification Rule. Under the Rule, and as noted in the guidance, entities experiencing a breach of unsecure PHI must notify individuals whose information is involved in the breach, HHS, and, in some cases, the media, unless the entity can demonstrate (and document) that there is a “low probability” that the information was compromised.The point is that you must start with the conclusion that the data was breached, and prove that it was not. If the Ransomeware had access enough to encrypt, then it had access enough to have exfiltrated.
Risk Assessment and Management Plan is not staticThe one point of emphasis I would add is that the "Risk Assessment and Management Plan" that is indeed required by the HIPAA Security rule, also is required to be revised periodically 45 CFR § 164.306(e), states:
“Security measures implemented to comply with standards and implementation specifications adopted under § 164.105 [(the Organizational Requirements)] and this subpart [(the Security Rule)] must be reviewed and modified as needed to continue provision of reasonable and appropriate protection of [EPHI] as described at § 164.316.”
ConclusionI am very impressed and happy with all of the fact-sheets out of HHS. They have a very hard job of explaining difficult subjects to a huge and heterogeneous. Made up of mature organizations and unprepared organizations. These fact-sheets should be viewed as an opportunity to exercise and investigate your working Security and Privacy plan.
Other articles I have on Security/Privacy Risk Assessment/Management
- Privacy Principles
- Why Mutual-Authorized-TLS?
- Failure of Privacy due to Performance vs Privacy
- Healthcare: Fail Open vs Fail Closed
- Safety vs Privacy
- IEC 80001 - Risk Assessment to be used when putting a Medical Device onto a Network
- More Webinars on Basics of IEC 80001
- IEC 80001 - Security Technical Report presentation
- How to Write Secure Interoperability Standards
- How to apply Risk Assessment to get your Security and Privacy and Security requirements