The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry.

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:

• Mega fines and legal costs totaling more than $270m related to two breaches for health insurers Premera and Anthem. We break down the details behind the OCR penalties, state fines, and class action lawsuits.
• NIST releases the new NIST SP 800-53 Rev 5, the first overhaul of NIST 800-53 in over seven years. We discuss the major changes to the standard and its implications for healthcare entities.
• The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) warns that it may begin to issue fines for organizations that facilitate payment to ransomware attackers. We discuss the difficult position healthcare providers face between patient safety and potential federal fines.
• Highlights from the ransomware breach of Universal Health Services this week that may impact its over 400 locations.

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry.

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity:

• A recent patient fatality directly resulting from a cyber attack; details and analysis
• OCR’s latest resolution agreement and $1.5m fine for a Covered Entity breach involving a third-party Business Associate
• A ransomware recovery case study from a hospital that remains crippled for several months following the attack

The atmosphere of healthcare delivery is changing, as critical business functions move to third-party cloud-hosted platforms.

Ascending the business into the cloud, however, does not transfer the risk of breach and regulatory storms - and can even introduce new risks that must be evaluated, tracked, and remedied.

In this episode of The CyberPHIx, we speak with Dan Bowden, VP and CISO for Sentara Healthcare. Dan has decades of healthcare security leadership experience and during this session, discusses ways to identify and prepare for the “dark clouds” looming on the horizon.

Highlights of the discussion include:

• Leveraging critical security controls models for cloud deployments
• Cloud Application Security Broker (CASB) solutions and lessons learned
• Customer accountability in shared controls models for cloud environments
• Third-party risk management, SLAs, and contract management with cloud providers

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry.

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:

• Key takeaways and analysis of the Cloud Security Alliance’s new report on Cloud Risk Management, including shared responsibility, third-party risk, new cloud audit & reporting models, and more
• A new amendment to California’s Consumer Privacy Act (CCPA) regulation related to deidentification of patient data
• The outcome of a lawsuit leveled at the Nuance transcription company related to their 2017 ransomware breach that impacted health systems
• Details of the FBI and CISA alert this week for an ongoing voice phishing (vishing) campaign targeting remote workers
• Analysis of a Harvard study released this week highlighting security risks with COVID-19 home monitoring devices

Malicious attacks were the listed as the dominant threat vector and source of healthcare breaches this year according to IBM’s 2020 Data Breach Report [1]. Top sources of compromises from these malicious attacks included compromised access credentials, cloud misconfigurations, and vulnerabilities in third-party software.

Opportunistic cyber attackers have seized the moment of a pandemic to target vulnerable healthcare entities and their remote workforces for their own personal gain. Attacks have leveraged COVID-19 themes for social engineering assaults, phishing campaigns, ransomware entry, and more. Healthcare organizations are on their heels trying to thwart unprecedented viruses, both physical and virtual alike.

In this CyberPHIx episode, we speak with Kevin Sacco, who leads the Ethical Hacking and Penetration Testing practice for Meditology Services. With almost 20 years in the field, Kevin talks about his experiences hacking healthcare organizations, including recent pandemic-era attacks.

Highlights of the discussion include:

• Heartless hackers: the bad guys and their motives
• Common healthcare security vulnerabilities and cybersecurity weak spots identified in penetration testing assessments
• The impact of the pandemic on attack methods, remote workforce targeting, and protection mechanisms
• Recommendations for the most cost-effective and impactful security controls to mitigate attacks
• War stories from decades of hacking healthcare entities

The average breach costs healthcare organizations $7.13m. Organizations that conduct routine penetration testing save an average of $243k per breach.

Healthcare is likely to remain in the cross hairs of attackers for some years to come. Kevin provides practical and cost-effective recommendations for thwarting these damaging attacks on our critical healthcare infrastructure.

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry.

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:

• A curious malware ‘Meow bot’ identified an unsecured healthcare database exposed to the Internet and replaced over 3.1 million patient records with the word “meow”
• NIST’s new Zero Trust Architecture framework released this week; application of the framework and implications for healthcare entities
• Apple’s deployment of new privacy “nutrition labels” required for apps in iOS 14
• FTC announces a ramp up in privacy enforcement at PrivacyCon 2020 conference this week; what this means for healthcare entities

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry.

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:

• Review of the key healthcare cybersecurity findings in the 2020 IBM Cost of a Data Breach Report (formerly known as the Ponemon Data Breach Report)
• Average healthcare breach costs, top sources of data breaches, and most effective security interventions for reducing breach costs and impact
• Analysis and recommendations for healthcare security CISOs and programs to adjust based on this new data and related trends
• Details of a presidential executive order issued this week to promote rural telehealth access and incentives for Medicare populations
• $53m federal stimulus proposed to improve cybersecurity and protect COVID-19 research data

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry.

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:

• Telehealth adoption trends and highlights from a new KLAS report released this week
• Lessons learned from a recently reported breach event for a telehealth app
• Federal HIPAA and state exemption extensions and modifications related to telehealth platforms and recommendations for steps that healthcare providers can take to secure telehealth platforms
• 21st Century Cures Act enforcement, fines, and technical integration and security mandates
• Smart phone app integration standards for EHRs as part of the Cures Act including HL7’s FHIR standard, EHR and app development progress, and related security requirements and recommendations for healthcare entities

Cybersecurity incidents have wide-ranging impacts including patient safety, operational effectiveness, and regulatory compliance. Effective preparation and response to common security incidents have become an essential organization skill set required to survive the tumultuous environment facing healthcare entities today.

Join us in this episode of the CyberPHIx where we speak with Nadia Fahim-Koster, who is a Partner with Meditology Services and leads the organization’s privacy and security practice. We discuss cybersecurity incident response trends and leading practices for healthcare entities.

Highlights of the discussion include:

• How to engage the business: incident response simulations techniques and approaches
• Lessons learned from incident response tabletops and real-world cybersecurity events
• Changes to incident response practices during COVID-19
• The dependence on third parties and incorporating third-party communication and planning into incident response plans
• How to engage external parties like the FBI and cyber liability providers in incident response processes
• Ransomware payment trends and decision points for the business

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry.

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:

• UnityPoint Health in Iowa reaches a $2.8m class action lawsuit related to phishing breaches in 2018; discussion on implications for the industry, breach response lessons learned, OCR and class action risks, and recommended actions for healthcare entities
• NIST report released looking at the statistical trends for financial losses related to cybercrime activity; analysis of the report and implications for healthcare security program investments
• UCSF pays $1.14m ransom to retrieve COVID-19 research data; details of the case, FBI involvement and negotiations; recommendations provided for ransomware prevention and response
• Bipartisan Senate introduction of an amendment to the 2021 National Defense Authorization Act that would provide funding for a cybersecurity coordinator in every state, and re-instate the national cybersecurity director position that the Trump administration eliminated