Tag Archive for: Healthcare

HIMSS Roundup: What’s Worrying Healthcare Organizations?

Held from March 14 to 18 in Orlando, Florida, the HIMSS 22 Global Health Conference and Exhibition took aim at some of the biggest opportunities and challenges facing healthcare organizations this year.

While businesses are taking their own paths to post-pandemic operations, both the content of sessions and conversations with attendees revealed three common sources of concern: compliance operations, the Internet of Healthcare Things (IoHT), and patient access portals.

Top-of-Mind Issues in Healthcare Security

For the past few years, effective healthcare security has been inextricably tied to ransomware risk reduction and remediation. It makes sense: According to Josh Corman, head of the Cybersecurity and Infrastructure Agency (CISA) COVID-19 task force, “Hospitals’ systems were already fragile before the pandemic. Then the ransomware attacks became more varied, more aggressive, and with higher payment demands.”  As a result, ransomware has become a top priority for healthcare organizations looking to protect patient data and limit operational impacts.

Conversations with healthcare and IT professionals at HIMSS 22, however, made it clear that what worries organizations is changing. To ensure effective security, responses must evolve as well.

Top Issue #1: Compliance with Evolving Government Regulations and Security Mandates

Not surprisingly, many HIMSS attendees expressed concern about evolving government regulations and security mandates.

Attendees spoke to issues around familiar mandates such as the Health Insurance Portability and Accountability Act (HIPAA), and Payment Card Industry Data Security Standards (PCI DSS)—many were worried about their ability to understand the full scope of software and services on their networks, along with the number and nature of connections across these networks. Mergers and acquisitions (M&A) were also mentioned as potential failure points for compliance. As healthcare markets begin to stabilize, M&A volumes are increasing, in turn, leading to challenges with IT systems integration that could lead to complex and cumbersome overlaps or even more worrisome gaps in security.

When it comes to security mandates, meanwhile, many organizations understand the need for improved policies and procedures to help mitigate risk but struggle to make the shift from theory to action. Consider a recent survey which found that 74 percent of US healthcare organizations still lack comprehensive software supply chain risk management policies, despite directives such as President Biden’s May 2021 executive order on improving national cybersecurity in part through the use of zero trust frameworks, multi-factor authentication policies, and software bill of materials (SBOM) implementation.

The result is a growing concern for healthcare organizations. If regular audits conducted by regulatory bodies identify non-compliance, companies could face fines or sanctions. Consider the failure of a PCI DSS audit. If it’s determined that organizations aren’t effectively safeguarding patients’ financial data, they could lose the ability to process credit cards until the problem is addressed.

Top Issue #2: The Internet of Healthcare Things (IoHT)

IoHT adoption is on the rise. These connected devices, which include everything from patient wearables to hospital beds to lights and sensors, provide a steady stream of actionable information that can help organizations make better decisions and deliver improved care. But more devices mean more potential access points for attackers, in turn putting patient data at risk.

Effectively managing the growing IoHT landscape requires isolation and segmentation—the ability to pinpoint potential device risks and take action before attackers can exploit vulnerabilities. There’s also a growing need to understand the “blast radius” associated with IoHT if attackers are able to compromise a digitally-connected device and move laterally across healthcare networks to access patient, staff, or operational information. From data held for ransom to information exfiltrated and sold to the highest bidder, IoHT networks that lack visibility significantly increase the chance of compromise.

The Internet of Healthcare Things also introduces the challenge of incident detection. As noted by HIPAA Journal,  while the average time to detect a healthcare breach has been steadily falling over the past few years, it still takes organizations 132 days on average to discover they’ve been compromised.

Top Issue #3: Patient Access Portals

Patient access portals are a key component in the “next normal” of healthcare. Along with telehealth initiatives, these portals make it possible for patients to access medical information on-demand, anywhere, and anytime. They also allow medical staff to find key patient data, enter new information, and identify patterns in symptoms or behavior that could help inform a diagnosis.

But these portals also represent a growing security concern: unauthorized access. If the wrong person gains access to patient records, healthcare companies could find themselves exposed to both legal and regulatory risks. In part, this access risk stems from the overlap of legacy and cloud-based technologies. Many organizations still leverage outdated servers or on-premises systems while simultaneously adopting the cloud for new workloads. The result is a patchwork of overlapping and sometimes conflicting access policies, which can frustrate legitimate users and create avenues of compromise for attackers.

Addressing Today’s Pressing Healthcare Security Concerns

While meeting regulatory obligations, managing IoHT devices, and monitoring patient portals all come with unique security concerns, effectively managing all three starts with a common thread: visibility.

If healthcare organizations can’t see what’s happening on their network, they can’t make informed decisions when it comes to improving overall security. Consider IoHT. As the number of connected devices grows, so does the overall attack surface. With more devices on the network, attackers have more potential points of access to exploit, in turn increasing total risk. Complete visibility helps reduce this risk.

By deploying solutions that make it possible to view healthcare networks as a comprehensive, dynamic visualization, it’s possible for companies to validate network and device inventories, ensure critical resources aren’t exposed to public-facing connections, and prioritize detected vulnerabilities based on their network location and potential access risk. Additional tools can then be layered onto existing security frameworks to address specific concerns or eliminate critical vulnerabilities, in turn providing greater control over healthcare networks at scale.

The automation of key tasks—such as regular, internal IT audits—is also critical to improving healthcare security. Given the sheer number of devices and connections across healthcare networks, even experienced IT teams aren’t able to keep pace with changing conditions. Tools capable of automating alert capture and performing rudimentary analysis to determine if alerts are false positives or must be escalated for remediation can significantly reduce complexity while increasing overall security.

Handling Healthcare Worries

Peace of mind for healthcare organizations is hard to come by—and even harder to maintain. Evolving concerns around compliance, IoHT, and patient portals present new challenges that require new approaches to effectively monitor, manage and mitigate risks.

Thankfully, improving visibility offers a common starting point to help solve these security challenges. Armed with improved knowledge of network operations, healthcare companies are better equipped to pinpoint potential threats, take appropriate action, and reduce their total risk.

See what matters most: Get complete network visibility with RedSeal. 

The Impact of the ONC Cures Act on API Security

In March 2020, the US Department of Health and Human Services issued the 21st Century Office of the National Coordinator (ONC) Final Rule, also known as the ONC Cures Act Final Rule. This Final Rule supports secured, limitless access, exchange, and use of Electronic Health Information (EHI).

ONC Cures Act Final Rule, apart from providing patients and their healthcare providers secure yet seamless access to health information, aims to increase innovation and trigger competition. With more competition comes innovation, as new entrants offer much wider healthcare choices and solutions for patients.

Summary of the ONC Cures Act Regulations

Due to the COVID-19 pandemic, the US Department of Health and Human Services provided an extension for compliance to the ONC Cures Act Final Rule. This extension ended on April 5, 2021.

According to the National Law Review, organizations subject to the Cures Act should have the following in place:

  • An efficient configuration of digital patient portals to provide electronic health information (EHI) to patients without needless delay
  • An up-to-date release of information policies
  • A thorough assessment of contracts and arrangements involving EHI with any third parties should be conducted to achieve compliance with information blocking prohibitions
  • Preparation of real-world testing plans, EHI data export, Application Programming Interfaces (APIs) with latest HL7 Fast Healthcare Interoperability Resources (FHIR) capabilities, and various other capabilities targeted for 2021 and 2022

ONC Cures Act Final Rule calls on the healthcare industry to adopt standardized APIs that allow individuals or patients to access and better use of EHI using smartphone applications securely and quickly.

Identity and Security Requirements of the Regulations

ONC Cures Act Final Rule, as explained in the Federal Register, lays out conditions for the compliance certification of healthcare providers. Those conditions include support for standards and published APIs that allow health information “to be accessed, exchanged, and used without special effort” and “access to all data elements of a patient’s electronic health record to the extent permissible under applicable privacy laws.” The aim of the Final Rule is nationwide transparent data portability with standardized yet agile data exchange processes.

Along with that, ONC Cures Act Final Rule can avoid many security risks associated with healthcare APIs, such as inadequate SSL certification validation, the vulnerability of Simple Object Access Protocol (SOAP), and accountability issues, to name a few.

The following are the specific identity and healthcare security requirements of the ONC Cures Act Final Rule:

ONC Cures Act Final Rule that allows agility of EHI also puts limits on information blocking and anti-competitive practices of the healthcare providers. The Code of Federal Regulations, with a few exceptions, allows patients to decide upon the healthcare applications that can access their EHI.

Vulnerabilities of the APIs

ONC Cures Act Final Rule ushers in an era of the widespread adoption of standardized APIs by the healthcare industry all over the globe. On the one hand, it helps individuals or patients securely access and easily makes use of EHI using smartphone applications. On the other hand, since APIs deal with sensitive data that can be easily accessible over the internet, they are vulnerable to sophisticated cyberattacks. Without question, healthcare organizations need enhanced digital healthcare security and vigilant monitoring to protect sensitive and private patient information.

More than anything else, implementing and maintaining enhanced API security is an exhaustive process. It also incurs extra expenditure on updating features or fixing bugs. This scenario demands a significant part of the API development lifecycle to maintain security.

Another concern is the consistent testing of API security. This complicated process requires hiring the right talent to identify and expose API security issues before the launch of the application.

Leveraging Cloud Solutions

According to IBM, The widespread global cloud migration can amplify the cost of cybercrime damage by nearly $300,000. As more enterprises migrate to the cloud, sensitive corporate data becomes vulnerable to cyberattacks, technical glitches, and data storage issues.

However, the increased technical difficulties, expenses, and larger talent pools associated with the integration, management, and dissemination of EHI can be overcome by cloud solutions. Today, many healthcare providers have embraced the power of healthcare cloud computing to meet the ONC Cures Act Final Rule requirements and to future-proof their Information Technology (IT) environment.

Cloud solutions eliminate the additional time and cost associated with traditional storage systems. An integrated data ecosystem that can feed multiple data centers can be easily deployed within a short period with lesser complications using cloud solutions.

Additionally, cloud solutions can empower healthcare providers to scale up and scale down their data processing resources as demands fluctuate. As an added benefit, the pay-per-use business model implemented by most cloud solutions providers worldwide makes the expensive resource procurement associated with traditional storage systems a thing of the past.

Another advantage of cloud computing infrastructure is that it provides access to data through open-source tools. That means no more data locked in silos and unwanted license expirations common with other proprietary storage solutions.

Cloud Is the Future of Healthcare

The future is healthcare cloud computing. ONC Cures Act Final Rule is the call from the future. EHI should flow smoothly and safely. Healthcare IT should provide more portable, interoperable, and patient-centric healthcare solutions. And cloud solutions are the only way forward.

RedSeal, a hybrid cloud security solution provider, helps you identify all your resources and how they are connected in your complex network environment. It allows easier validation of your security policies and prioritizes the security issues that can breach your most valuable network assets. RedSeal constantly monitors your network to find out glitches in your networking setup and ensure whether it meets the compliance standards and organizational policy.

RedSeal Stratus is a Software as a Service (SaaS)-based Cloud Security Posture Management solution that provides your cloud solutions security team with increased visibility and understanding of the provider’s infrastructure. RedSeal Stratus can help you manage the increased digital healthcare security risks with an up-to-date visualization of cloud solutions infrastructure and detailed identification of digital resources exposed to the internet. Your security team will also be bestowed with updated knowledge of Kubernetes accounts and policies.

Register for a demo to see RedSeal Stratus in action.

RedSeal Receives 2021 MedTech Breakthrough Award for “Best Overall Healthcare Cybersecurity Solution”

MedTech Breakthrough Awards | May 6, 2021

RedSeal has named been the winner of the 2021 MedTech Breakthrough Award for “Best Overall Healthcare Cybersecurity Solution.” The awards celebrate the world’s most outstanding digital health and medical technology products, services and companies around the world. This year’s award winners were selected from more than 3,850 nominations from across the globe.

Digital Preparedness for Health Care

Health Tech Digital | June 23, 2020

Being prepared for the unknown is as important to the digital side of healthcare as it is to the medical side. Both require knowing your resources, preparing for likely scenarios and following good hygiene practices for advanced planning, health maintenance, and rapid intervention. There are established protocols in medicine and for digital infrastructure. The Center for Internet Security (CIS) publishes Critical Security Controls, which serve as a widely agreed upon set of solid, proven approaches to cyber readiness.

These start at the most basic level – understanding your inventory.

RedSeal Helps Healthcare Organizations Reduce Cyber Risk

MedTech Breakthrough Awards selects RedSeal as best overall healthcare cybersecurity solution

SAN JOSE, Calif. — May 21, 2020 — Today RedSeal announced its cyber terrain analytics platform won the MedTech Breakthrough Award for best overall healthcare cybersecurity solution. This builds on a recent TAG Cyber study that confirms the platform – which automates cybersecurity fundamentals – is well-suited to meet the cybersecurity needs of modern healthcare organizations for cyber visibility, compliance and risk management.

The current health crisis has forced employees across healthcare and telemedicine organizations to work remotely, prompting hackers to target Virtual Private Networks (VPNs) and conduct password-spraying attacks on the healthcare sector and other essential services. As a result, the FBI and the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) released a joint alert on May 13 raising concern for cybersecurity threats targeting organizations addressing COVID-19.

To ensure the remote workforce has access to the appropriate applications and systems while maintaining the same level of security posture and compliance as before, RedSeal launched its Secure Remote Work Assessment. As a result, security and management teams receive the most holistic understanding of their organization’s cyber risks – across physical, cloud and virtual networks – including remote endpoints.

In addition, RedSeal is offering new professional service packages to improve cyber visibility and cloud cyber visibility, while building on its successful professional services to support compliance and risk vulnerability.

“Cybercriminals attack the most vulnerable organizations, which puts healthcare providers, associated verticals and their employees on the frontlines of a cyber battle as well as a global pandemic,” said Dr. Mike Lloyd, chief technology officer at RedSeal. “Now more than ever, it’s important to ensure their systems and networks are secure. We are honored to be named the best healthcare cybersecurity solution – and hope that our new set of services will greatly assist already impacted healthcare organizations.”

IRS Website Crash Reminder of HealthCare.gov Debacle as OMB Pushes Open Source

FEDWeek | April 20, 2018

Every filing season is a crush for the IRS but this year’s had the added challenge of changes due to the Tax Cuts and Jobs Act signed in December – and increasing e-file returns via integrations with vendors such as TurboTax and H&R Block, along with continued declines in operating budget and personnel. It all culminated on Tax Day when the IRS’s processing systems crashed. The error displayed on its website summed it up: “Planed Outage: April 17, 2018 – December 9999.”

Protecting PHI, Challenges and Solutions for Healthcare

Protecting PHI, Challenges and Solutions for Healthcare

What is data worth? On the surface, it is just a bunch of 1s and 0s on a hard drive. Most users don’t think about or even fully understand data. Their cell phones work, email is at their fingertips, and a friend is just a video chat away. But, enormous companies are built using data. Data is a big driver of economy, advertising, and business decisions. On the darker side, data is a target for attackers, who find a large market for it.

When it comes to personal data, is your credit card or your health information worth more? According to the Ponemon Institute[i], health records have sold for $363 per record — more than the price of stolen credit cards and service account credentials combined! 2015 was known for healthcare mega-breaches. It’s estimated that half of US citizens’ medical information is available for purchase, with 112 million records becoming available in 2015. Supply and demand works here, too. Due to the large number of records available on the black market, the price has dropped significantly in recent months. This doesn’t mean the healthcare industry is out of the woods. According to McAfee Labs[ii], healthcare attacks are increasing even though the average price per record is dropping.

Personal health information (PHI) is attractive because it lasts longer and is more difficult for victims to protect. Unlike the credit card industry, the healthcare industry hasn’t come up with a good way to stop and prosecute fraudulent charges. If you see your credit card is used by someone else, you can call up and have the charges reversed and a new card issued. This isn’t the case with your PHI. Likewise, it is more difficult to see if your PHI was used to buy drugs or equipment. How often do you check your medical bills compared to your credit card statements? Additionally, PHI opens the door for attackers to steal victims’ identity, or buy and sell medical equipment and drugs with the stolen information. Because they have such valuable information, healthcare organizations must take an active role in protecting their data, yet not close it down so tightly they can’t remain in business.

Recently, I went on Shodan, a search engine that scours the internet and gathers information about all connected devices. It isn’t secret; anyone can use it to search for vulnerable devices. In the US alone, I found hundreds of devices belonging to organizations that handle sought-after health information. These organizations used insecure protocols, services, and software with known exploits — illustrating the seriousness of this problem.

The healthcare industry must overcome the same challenges other industries face. It is only unique in the value of its data. Lack of finances, expertise, and time all compound the problem. I call this the Security Triangle (a spinoff of the Project Triangle). You have expertise, time, and finances and you only get two. RedSeal can help healthcare organizations balance out this security triangle. When a healthcare organization installs RedSeal, the automation it provides will free up their experts to handle other pressing issues.

RedSeal will parse through the configurations of multiple vendors and visualize all paths from the internet to the inside of your network. RedSeal offers a single pane of glass for your network, vulnerabilities, best practice checks, and policies, to simplify the understanding of information flows. You can set up RedSeal to alert you if your organization is at risk from an insecure protocol being accessible to the web. Without RedSeal, this process is painstakingly manual, requiring a great deal of time and resources to fully understand.

With RedSeal in your network, you can ensure that your organization’s policies are followed. If there are any changes that increase the risk to the organization, the dashboard will alert you. Organizations that keep medical data can set up policies to alert them if internet devices can directly access medical records, or if they can leapfrog into the network through some other server. Normally this requires a plethora of tools or manual labor, making the process complex. Once configured, RedSeal will automatically check policies to ensure access to critical systems remain as configured. If new access is introduced, the dashboard will alert you — saving time and resources, and freeing up your experts to more urgent tasks.

Healthcare organizations using RedSeal can automate manual tasks and improve security, freeing up their resources to take on more urgent matters — saving lives.

[i] https://www.csoonline.com/article/2926727/data-protection/ponemon-data-breach-costs-now-average-154-per-record.html

[ii] http://www.businesswire.com/news/home/20161025006879/en/McAfee-Labs-Liquidity-Trumps-Longevity-Market-Stolen

Defense Medical Communities Face Digital Resilience Challenges

Last week in Orlando, I attended the Defense Health Information Technology Symposium (DHITS) conference. This is one of the best attended, most cohesive trade shows I have been to in years. One of the eight break-out tracks was entirely devoted the challenges of securing defense health networks and the medical devices that connect to them. It was overdue proof that the Defense Health Agency (DHA) community is recognizing the importance of cybersecurity.

The seven cyber sessions were:

  • Risk Management Framework
  • Cybersecurity- Decisions, Habits and Hygiene
  • Are You Cybersecurity Inspection Ready?
  • Incident Response: Before, During and After the Hack- How
  • MHS Medical Device Integration and Security: Details Matter
  • RMF Requirements and Workflows for Medical Devices with the DOD
  • Security for Connected Medical Devices

Clearly, the defense health community is paying a lot of attention to medical devices as a source of vulnerabilities.  According to a DHA presentation at the conference, 80% of all successful cyber incidents can be traced back to poor medical device user practices, poor network and management practices, and poor implementation of network architecture.

Medical devices are easy to access on internal networks and device owners are not sure how to secure the devices or the networks.

Everyone tries to lock down the devices. There are thousands of devices in a large hospital. They can’t be 100% secure. They need networks that are digitally resilient, that find devices and non-compliant configurations. Only then can they mitigate the risk to defense health systems. Even though the Defense Health Agency is a new organization, it’s slowly taking over the IT responsibilities of various defense health organizations. As these networks are consolidated into a new network, Med-COI, there has been a tendency to focus on “getting the job done.” To avoid future issues, DHA needs to prioritize understanding what current risks they’re bringing into this new network.

The good news is that all the attendees I spoke with and who dropped by RedSeal’s booth agreed that these were challenges that needed to be addressed.

For more information on how RedSeal can assist with building digital resilience in the Defense Health community, please contact Matt Venditto at mvenditto@redseal.net

Cyber Resilience Protects Medical Data

BUSINESS INSURANCE | June 19, 2016

Health care organizations are becoming resilient in the face of cyber attacks as hackers attempt to access sensitive patient information.

Experts from Zurich North America and RedSeal Inc., a Sunnyvale, California-based cyber security firm, discussed how health care providers, insurers and affiliated companies can bounce back when data breaches are discovered.