OCR Publishes Recommendations to Prepare for Cybersecurity Threats
The Department of Health and Human Services Office of Civil Rights (OCR) Spring 2019 Cybersecurity Newsletter includes new recommendations regarding how HIPAA covered entities can prepare to defend against cybersecurity attacks such as advanced persistent threats (APTs) and zero-day vulnerabilities. These cybersecurity threats were used by hackers in the global WannaCry ransomware cyberattack, which severely impacted the United Kingdom’s National Health Service and several United States HIPAA covered entities and business associates in May 2017.
According to the National Institute of Standards and Technology (NIST), an APT “is a long-term cybersecurity attack that continuously attempts to find and exploit vulnerabilities in a target’s information systems to steal information or disrupt the target’s operations.” APT attacks may not be as sophisticated as other hacking attacks, but the persistence of the attack and the capability for the attacker to change tactics to avoid detection makes APTs formidable threats to health care organizations. Health care data is particularly valuable to hackers who can use the information to blackmail an individual and compromise the confidentiality, integrity, or availability of the affected individuals’ protected health information.
Zero-day exploits are cybersecurity attacks which attempt to exploit unknown hardware, firmware, or software vulnerability. Through research and probing, hackers can discover zero-day exploits in antivirus software and take advantage of the lag time between the discovery of the vulnerability and the availability and/or implementation of the software patch or update. OCR states that these attacks are especially dangerous because their unique nature makes them more difficult to detect than ordinary hacking attacks. OCR emphasizes that HIPAA covered entities must be diligent in monitoring their cybersecurity or antivirus software for any unusual activity or suspicious files. Moreover, HIPAA covered entities should consider adopting other protective measures such as encryption, access controls, or network access limitations to mitigate the potential impact of zero-day vulnerabilities until a patch or upgrade is available.
OCR recommends that HIPAA covered entities and business associates implement the following security measures contained in the HIPAA Security Rule (specifically the security measures set forth at 45 CFR § 164.308 and 45 CFR § 164.312) to proactively mitigate or prevent the harm that an APT or zero-day attack may cause:
The full Spring 2019 OCR Cybersecurity Newsletter is available here. If you have any questions regarding security measures that your organization can implement to protect against HIPAA security incidents, or general questions regarding HIPAA compliance, please contact your Dinsmore health care attorney.
 Available here: https://csrc.nist.gov/publications/detail/sp/800-39/final.
Link to article
- Resolutions of the Hungarian data protection authority imposing fines under the GDPR (21 June 2019)
- New UAE Regulatory Policy for the Internet of Things
- Joint Controllers - Supervisory authorities publish first sample agreement
- Fake Meat Good, Fake News Bad
WSG Member: Please login to add your comment.