Member Article

It is the time of year for a good scare– but not all a welcome treat!

The U.S. Department ofHealth and Human Services(HHS)published a cyber-threat advisory that comes as no great surprise to healthcare providers. As all healthcare providers are focused on continuing to provide excellent care during this COVID-19 pandemic, it is unfortunate that cyber-criminals see this as an opportunity for healthcare targeted ransomware attacks. Continued vigilance and investment in IT security and, particularly, workforce security training is absolutely necessary.

We are continuing to see an increase in HIPAA breaches among small medical and dental practices as well as larger organizations. No one is exempt.

The last quarter is generally a good time to conduct an annual security risk assessment, but, regardless of your organization’s schedule, an enterprise-wide and comprehensive assessment of vulnerabilities and threats, risk assessment and remediation is needed and required by HIPAA, and many state data security laws. In defending against and preventing ransomware and other cyber-attacks, the investment cost of security risk assessments, training and good auditing and monitoring of access and system activity will return a reward when the need for breach response is prevented. If you have not subscribed to the OCR list-serv, you should sign up here.

The OCR announcement ([email protected]) issued October 29, 2020 is here:

October 29, 2020

Cyber Alert: Ransomware Activity Targeting the Healthcare and Public Health Sector

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Department of Health and Human Services (HHS) have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.

CISA, FBI, and HHS have released AA20-302A Ransomware Activity Targeting the Healthcare and Public Health Sector that details both the threat and practices that healthcare organizations should continuously engage in to help manage the risk posed by ransomware and other cyber threats. The advisory references the joint CISA MS-ISAC Ransomware Guide that provides a ransomware response checklist that can serve as a ransomware-specific addendum to organization cyber incident response plans.

In addition to these materials regarding the most recent ransomware threat to the Healthcare and Public Health Sector, the HHS Office for Civil Rights’ Fact Sheet: Ransomware and HIPAA provides further information for entities regulated by the HIPAA Rules.CISA, FBI, and HHS are sharing this information in order to provide a warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats. CISA encourages users and administrators to review CISA’s Ransomware webpage for additional information.

Click here to read more.