Prepared for iHealth 2017 Clinical Informatics Conference Page 1
Disclosure
 We have no relevant relationships with commercial
interests to disclose.

Learning Objectives
 After participating in this session the learner should be
better able to:
 Appreciate the state of cybersecurity in healthcare organizations
and the lack of preparedness
 Be familiar with certain legal considerations, particularly the
Health Insurance Portability and Accountability Act (HIPAA)
 Its privacy and security rules
 Its limited scope
 Its gaps

Learning Objectives (cont.)
 Understand the focus on biomedical devices, particularly patient
safety and liability
 Distinguish forms of ransomware
 Understand what is needed for institutional preparedness

The State of Cybersecurity in Healthcare
Organizations
 Healthcare Organizations had almost one cyber attack
per month in the last 12 months
 Many experienced the loss of patient information
 Threats include:
 System failures, unsecure medical devices, cyber attackers,
employee-owned mobile devices, and unsecure mobile
devices
 Web-borne malware attacks
 Focus: patient information

An Underlying Lack of Preparedness for a
New World Filled with Threats
 An increasing wave of cybersecurity threats, particularly
ransomware attacks
 Challenges include:
 A lack of awareness of the magnitude of the ransomware
challenge in healthcare
 A relatively low level of investment in data security in U.S.
patient care organizations (PCOs)
 A lack of commitment on the part of health systems to address
the threat of ransomware

An Underlying Lack of Preparedness for a
New World Filled with Threats (cont.)
 Challenges include (cont.):
 Insufficient staffing of information security (IS) departments
 Insufficient training, preparedness, and expertise of those
assigned to manage cybersecurity and data security in PCOs
 A lack of data security strategic planning and execution of
strategic plans
 A rapidly surging threat that is exposing more hospitals, medical
groups, and health systems to ransomware and other malware
and hacking
[M. Hagland, With The Ransomware Crisis, The Landscape of Data Security Shifts in Healthcare, Healthcare Informatics Special Report
Ransomeware Crisis, Jun. 2016, http://www.healthcare-informatics.com/]

The State of Cyber Security in Healthcare
Organizations and Legal Considerations
 Security posture is business line dependent
 Based on institutional priority and culture
 Type of data protected
 Culture of sharing
 Reputation and risk exposure
 Types of industry
 Provider
 Payer
 Pharma
 Biomedical device manufacturer

The Gaps in HIPAA
 HIPAA does not protect information that is not Personal
Health Information (PHI)
 Business Associate Agreements (BAA) are limited in
their ability to reduce exposure
 Business Associates and sub-contractor accountability is
not front and center
 Competing regulations – differing priorities
 HIPAA may punish the victim

Ransomware, Institutional Preparedness,
and Recommendations
 To prepare for the worst – layered approach to defenses
 User awareness – user is the weakest link
 System patching
 Up-to-date anti-virus
 Offline backups
 Segmentation and isolation of exception systems

Is Privacy the Only Issue?
 Privacy is not the only issue; data integrity and
availability are of equal or more importance
 Vulnerabilities present in infrastructure and medical
devices
 Patient safety can be impacted through manipulation of
medical device data and environmental control systems
 Interface errors and device defects could introduce
inaccurate information to the electronic health records
(EHR)

HIPAA Security Rule
 Requires that covered entities (CE) and their business
associates (BA) perform a security risk assessment to
identify and mitigate risks to the confidentiality, integrity,
and availability of the ePHI they create, receive,
maintain, or transmit.
 Specifies a series of administrative, physical, and
technical safeguards that CEs and their BAs must
implement to prevent unauthorized or inappropriate
access, use, or disclosure of ePHI
 Administrative safeguards include:
 Risk analysis and management, access management, workforce
training, and evaluation of security measures

HIPAA Security Rule (cont.)
 Physical safeguards include:
 Physical measures, policies, and procedures to safeguard the
CE or BA's electronic information systems
 Facility access controls, workstation security, and device and
media controls
 Technical safeguards include:
 Access controls, audit controls, integrity, person or entity
authentication, and transmission security
[Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA. U.S. Department of Health
and Human Services, https://www.healthit.gov/sites/default/files/non-covered_entities_report_june_17_2016.pdf]

 Requires implementation of security measures that can
help prevent the introduction of malware, like
ransomware, including:
 Implementing a security management process
 Implementing procedures to guard against and detect malicious
software
 Training users on malicious software protection
 Implementing access controls
[FACT SHEET: Ransomware and HIPAA, http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf]

 Requires CEs and BAs to implement policies and
procedures that can assist an entity in responding to,
and recovering from, a ransomware attack
 Security incident procedures, including procedures for
responding to and reporting security incidents.
 Robust security incident procedures for responding to a
ransomware attack should include processes to:
 Detect and conduct an initial analysis of the ransomware
 Contain the impact and propagation of the ransomware

 Robust security incident procedures include:
 Eradicating the instances of ransomware and mitigating or
remediating vulnerabilities that permitted the ransomware attack
and propagation
 Recovering from the ransomware attack by restoring data lost
during the attack and returning to "business as usual" operations
 Conducting post-incident activities, and incorporating any
lessons learned into the overall security management process of
the entity to improve incident response effectiveness for the
future of security incidents

 The presence of ransomware (or any malware) on a
CE's or BA's computer system is a security incident
 Once it is detected, the CE or BA must initiate its security
incident and response reporting procedures
 They must be reasonable and appropriate to guidance regarding
the implementation of security incidents, including ransomware
attacks
 Whether or not the presence of ransomware would be a
breach under HIPAA is a fact-specific determination
 Does it compromise the security of PHI?

 Is there a low probability that the PHI has been
compromised?
 Four factor test:
1. The nature and extent of the PHI involved, including the
types of identifiers and the likelihood of re-identification
2. The unauthorized person who used the PHI or to whom the
disclosure was made
3. Whether the PHI was actually acquired or viewed
4. The extent to which the risk to the PHI has been mitigated
 There should be a thorough and accurate evaluation of
all the evidence

Limited Scope of HIPAA
 Applies only to organizations known as CEs, health
plans, healthcare clearing houses, and healthcare
providers conducting electronic transactions, and their
BAs, persons or entities that perform certain functions or
activities involving the use or disclosure of PHI
 Wearable fitness trackers, social media sites where
individuals share health information through specific
social networks, and other technologies that are
common today did not exist when HIPAA was enacted in
1996
 Many of these are outside the scope of HIPAA

Privacy and Security Protections of Health
Information Have Not Kept Up with the Technology
 New types of entities that collect, share, and use health
information are not regulated by HIPAA
 Individuals may have a limited or incorrect understanding of
when data about their health is protected by law, and when it
is not
 Health information collected in more places without consistent
security standards may pose a cybersecurity threat
 Individuals generally have greater rights regarding access to
data held by HIPAA CE than data held by non-CE
 Lack of understanding of what rules apply may hinder
economic growth and development of beneficial products that
could help generate better health, smarter spending, and
healthier people

Physical Security and Social Engineering
Audit Case #1
 Outline
• 13,000 sq. ft. datacenter
audited for large SE client
• Team of two
• Planning, one week
including “wrong number”
visit
• Original plan (controls
passed)
• Adaptive plan based on use
of call log
 Results:
• Successful breach using
pressure and names from
call log and 2nd cell phone
• Full unescorted access onto
datacenter floor and client’s
secure cage
• Control tested and exploited
– Call log pin number

Audit Case #2
 Outline
audited for massive MW
client
• Team of two
• Planning, three weeks
• Original plan – one week on-
site (most controls passed)
• Adaptive plan based on
observation on last day of
audit
 Results:
• Successful breach of critical
infrastructure area due to
“nut in door jam” and shared
access with education center
and relaxed posture
• Full unescorted access onto
datacenter’s critical
substructure
• Control tested and
exploited– hardened access
controls to substructure

Audit Case #3
 Outline
audited for massive MW
client
• Team of two
• Planning, two weeks
• Original Plan – one week on-
site (access controls failed
day one)
• Security was 3rd party DOD
certified
 Results:
• Successful breach of entire
facility due to relaxed
posture and weak
authorization process;
included piggy backing “man
trap gate”
• Full unescorted and
“authorized” access to
facility
• Controls tested and
exploited – video monitored
trap gate and access
authorization process

# 1 Question
How do we
stop these
threats to our
organizations?

Focus: Prevent–Detect–Respond to
Source: https://www.securityforum.org/https://www.securityforum.org/research/threat-horizon-2on-deterioration/
“Threat Horizon 2019
Report” Themes
Disruption
Distortion
Deterioration

Information Security Forum
Threat Horizon 2019 Report
Disruption
Distortion
Deterioration
Overreliance on fragile
connectivity
Trust in the integrity of
information is lost
Controls are eroded by
regulations and
technology

Prevent–Detect–Respond Measures
Disruption
Distortion
Deterioration
• Integrate with BioMed procurement
• Assess BioMed security risks
• Identify critical assets-ownership and
access (RECERTIFY)
• Conduct cybersecurity tabletops
• Review cybersecurity response plan
• Monitor access to sensitive
information
• Collaborate across org to understand
impact to lost information
• Monitor insider threat—with legal
guidance
• Train talent - new technology (e.g., cloud)

Summary and Conclusions
Cybersecurity in healthcare
organizations is challenging
PREVENT
DETECT
RESPOND
Legal protections are not
always sufficient
Understand
Impact of Lost
INFORMATION
Biomedical devices pose
significant risks
Conduct Inventory
Integrate - Procurement
Assess security RISKS
Ransomware attacks will
continue
Prepare Workforce
Conduct Tabletops
Develop Response Plan

Question
 When conducting a breach risk assessment, what
threshold must be assessed to consider a disclosure a
breach?
A. High risk of harm
B. Patient safety risk
C. Low probability of compromise
D. Excessive risk of disclosure

Answer
A. High risk of harm
B. Patient safety risk
C. Low probability of compromise
D. Excessive risk of disclosure
Explanation: The HIPAA Security Rule provides that whether or
not the presence of ransomware would be a breach is a fact-
specific determination, and one of the considerations is whether
there is a low probability that the PHI has been compromised.

Question
 Which of these controls represents a “physical
safeguard” under HIPAA?
A. Audit logging
B. Identity badge policy
C. Anti-virus
D. Security cameras

Answer
A. Audit logging
B. Identity badge policy
C. Anti-virus
D. Security cameras
Explanation: Of the choices, only security cameras are physical
in nature.

Question
 Which of the following represents the BEST strategy for
recovering from a ransomware infection?
A. Tape backup
B. User education
C. Anti-virus
D. Data loss prevention

Answer
A. Tape backup
B. User education
C. Anti-virus
D. Data loss prevention
Explanation: Of the choices, only a tape backup could have the
information available prior to the infection.

Question
 The HIPAA Privacy Rule
A. Provides state protections for individually identifiable health
information held by covered entities and their business
associates
B. Requires that covered entities and their business associates
perform a risk assessment
C. Provides federal protections for individually identifiable health
associates
D. Requires implementation of security measures that can help
prevent the introduction of malware, including ransomware

Answer
A. Provides state protections for individually identifiable health
associates
B. Requires that covered entities and their business associates
perform a risk assessment
C. Provides federal protections for individually identifiable
health information held by covered entities and their
business associates
D. Requires implementation of security measures that can help
prevent the introduction of malware, including ransomware
Explanation: HIPAA is a federal law and thus, does not provide state
protections. Thus, answer a. is wrong. Answers b. and d. are from the
HIPAA Security Rule.

Question
A. Protects all health information wherever it is found
B. Does not protect all health information wherever it is found
C. Applies to health information about an individual that has been
de-identified
D. Requires covered entities and business associates to
implement policies and procedures that can assist an entity in
responding to, and recovering from, a ransomware attack

Answer
A. Protects all health information wherever it is found
B. Does not protect all health information wherever it is
found
C. Applies to health information about an individual that has been
de-identified
D. Requires covered entities and business associates to
responding to, and recovering from, a ransomware attack
Explanation: HIPAA protects most individually identifiable health information
held or transmitted by a covered entity or its business associate in any form or
medium, whether electronic, on paper, or oral (PHI). It does not protect all
health information wherever it is found. Thus, answer a. is incorrect. It does
not apply to de-identified information, and thus, answer c. is incorrect. Answer
d. is from the HIPAA Security Rule.

Question
 The HIPAA Security Rule does not
A. Require that covered entities and their business associates
perform a security risk assessment
B. Require covered entities and business associates to
responding to and recovering from a ransomware attack
C. Require training users on malicious software protection
D. Extend to all wearable fitness trackers

Answer
A. Require that covered entities and their business associates
perform a security risk assessment
B. Require covered entities and business associates to
responding to and recovering from a ransomware attack
C. Require training users on malicious software protection
D. Extend to all wearable fitness trackers
Explanation: The HIPAA Security Rule applies to answers a., b.,
and c. It does not apply to all wearable fitness trackers. Such devices
were designed, created, and used after the drafting of HIPAA in 1996,
and thus were not anticipated at the time.

References
 Health Insurance Portability and Accountability Act, Pub. L. 104-191,
110 Stat. 1936 (1996); http://library.clerk.house.gov/reference-
files/PPL_HIPAA_HealthInsurancePortabilityAccountabilityAct_1996
.pdf
 Examining Oversight of the Privacy & Security of Health Data
Collected by Entities Not Regulated by HIPAA. U.S. Department of
Health and Human Services;
https://www.healthit.gov/sites/default/files/non-
covered_entities_report_june_17_2016.pdf
 FACT SHEET: Ransomware and HIPAA.
http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf

PERSHING YOAKLEY & ASSOCIATES, P.C.
800.270.9629 | www.pyapc.com
Contact Information
 Cathy Beech:
 beech@email.chop.edu
 Direct 267.426.0532
 Paul R. DeMuro:
 pdemuro@broadandcassel.com
 Direct 954.745.5224|Mobile 213.308.7859
 Barry Mathis:
 bmathis@pyapc.com
 Direct 865.684.2785 | Mobile 423.827.7893
 John T. Rasmussen:
 John.T.Rasmussen@medstar.net
Thank you!

Data and Network Security: What You Need to Know