The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Department of Health and Human Services (HHS) have announced an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.  
 
CISA, FBI, and HHS have released AA20-302A Ransomware Activity Targeting the Healthcare and Public Health Sector that details both the threat and practices that healthcare organizations should continuously engage in to help manage the risk posed by ransomware and other cyber threats. The advisory references the joint CISA MS-ISAC Ransomware Guide that provides a ransomware response checklist that can serve as a ransomware-specific addendum to organization cyber incident response plans. 

It has been noted that hackers are using Ryuk ransomware — malicious software used to encrypt data and keep it locked up — and the Trickbot network of infected computers to steal data, disrupt health care services and extort money from health care facilities. Such data hijacking often cripples online systems, forcing many to pay up to millions of dollars to restore their services.

Find links and further documentation below

The number of COVID-19 cases continue to increase throughout the United States, requiring more and more of our health systems to rely on employees working from home at times. While some of us are required to "shelter-in-place," unfortunately that shelter can create increased risks such as cyber security breaches.

General cybersecurity guidance would suggest that Health IT breach should not be considered a matter of “if”, but rather a matter of “when”. How Health Centers prepare and respond to an episode of a breach is just as important as defending itself from the breach.

It is of critical importance to motivate and educate healthcare professionals on current critical privacy and security concepts and methods for defense of health data. Aspects of security awareness training, breach protection, incident response, and related topics all play a role toward organization-wide information protection. Healthcare cybersecurity is the ultimate team sport. The responsibility goes beyond the IT staff and includes front and back office staff, doctors and nurses, patients, executives, and the board of directors. The attached presentation is directed to all levels of the healthcare organization so that they may be proactive and aware.

Is it acceptable/recommended for health centers to adopt the new password policy guidelines under NIST Special Publication 800-63B and will that still uphold the HIPAA security rule? This question had been posed to the HITEQ Center asking whether we had any guidance or recommendations on implementing the new NIST Guidelines regarding password security.  New Digital Identity Guidelines under NIST Special Publication 800-63-B presents new guidelines regarding password security that are much more user-friendly and consequently more likely to be observed by health center staff since constantly changing, complex password on multiple systems can be a source of frustration for the end user. 

This slide deck provides health centers with information and a presentation template overview of the HIPAA and electronic PHI risks related to texting and messaging that are important for health center leadership and IT managers to understand in making organizational decisions for these types of tools.

Since 2010, the healthcare industry has seen a remarkable increase in the use of technology in the administration and delivery in healthcare. This has led to a mass migration of data from paper charts and isolated systems to Electronic Medical Records (EMRs) and interconnected systems that transmit patient health and financial information across trusted and untrusted networks. While this has been a boon for the industry in its ability to provide timely information to those who need it the most, this transition has introduced a great deal of risk to the confidentiality and integrity of the information. Coupled with the fact that the information can be quickly monetized by criminals through insurance fraud and identity theft, the ecosystem is target-rich.

Data breaches in healthcare are consistently high in terms of volume, frequency, impact, and cost. High-level breaches are increasingly occurring in a more targeted manner toward health centers. This presentation provides Health Center leadership and trainers with a template to use to build out their own organization-specific presentation on breach.