The U.S. Health and Human Services (HHS) Secretary, Xavier Becerra, recently sent a letter directed at healthcare leaders. The letter serves as a reminder for “the nation’s critical health infrastructure” to remain vigilant against cyber threats. It comes amid an increase in cyberattacks because of the COVID-19 pandemic and the holidays.
Healthcare covered entities work with sensitive protected health information (PHI) and therefore must demonstrate HIPAA compliance to properly protect patients.
SEE ALSO: HIPAA compliant email
Such reminders from HHS, whether providing old or new information, are necessary to help combat data breaches. The four main points are explored below.
Be alert, especially during the holidays
As a general rule, it is important for healthcare organizations to always be alert, especially during the holidays.
RELATED: Why holidays are a cyberattack gold mine
Healthcare providers are viewed as juicy targets by cyberattackers who may want to encrypt or exfiltrate PHI. Why? To access, expose, or hold the data for ransom. And unfortunately, costs may go even further with HIPAA violations, fines, disrupted operations, and even patient death. This is why HHS continuously emphasizes HIPAA compliance and strong cybersecurity and releases alerts about specific vulnerabilities.
Take for example the new Apache Log4j vulnerability CVE-2021-44228, which the HHS secretary highlights in his letter. The software’s log message parameters do not protect endpoints, giving an entryway (i.e., an open door) to cyberattackers.
Apache Log4j software is utilized in the control systems of medical devices and hardware. Accordingly, HHS recommends implementing the Cybersecurity and Infrastructure Security Agency (CISA) guidelines about the vulnerability.
Review cybersecurity resources
One way to stay ahead of new vulnerabilities and cyberattacks is to continuously review cybersecurity resources. HHS recommends its own resources, including listservs, and CISA’s Preparing For and Mitigating Potential Cyber Threats.
Throughout 2021, Paubox highlighted several cybersecurity resources to help healthcare providers stay ahead of cybercriminals:
- National Security Agency’s guidance on weak encryption protocols (January 2021)
- National Institute of Standards and Technology’s ransomware tips (May 2021)
- HHS’ ransomware guidance (June 2021)
- CISA’s fact sheet on ransomware (September 2021)
- Cloud Security Alliance’s guidance on the healthcare cloud (October 2021)
- Financial Crimes Enforcement Network’s updated advisory on managing ransomware attacks (December 2021)
All are worth reading.
By and large, HHS is the perfect resource; the agency even launched a new website for its 405(d) Aligning Health Care Industry Security Approaches Program. Created to provide best practices, encourage behavioral change, and promote consistent mitigation techniques, the website is a great trove of helpful tips and resources.
Monitor and maintain readiness
In reality, strong cybersecurity is not just about putting layered features into place but also about monitoring your system and maintaining readiness. And a big chunk of this is ensuring your emergency plans are up-to-date. Your business continuity plan, for example, can help you avoid a disaster before it occurs.
RELATED: What is a HIPAA risk assessment?
It can also provide a guide in case a cyberattacker finds an open access point. Moreover, such plans help you and your staff know what to do after a HIPAA violation.
Make sure to keep your employees well-informed of new threats like the Apache Log4j vulnerability. An unaware, stressed staff raises cybersecurity risks, especially as more and more employees work from home.
Report all incidences
Finally, if you do detect a possible incident, ensure you tell the appropriate parties as laid out by laws such as the HIPAA Breach Notification Rule.
Privacy laws and reporting regulations exist for three important reasons:
- Provide adequate warning
- Support agencies and IT specialists to stop future breaches
- Help healthcare organizations avoid breaches and violations
Under HIPAA, healthcare providers may have to notify HHS, local authorities, the affected individuals, and the media in case individuals are unreachable. The HHS secretary’s letter specifically mentions CISA and the FBI because information sharing is essential to combatting cyberattacks.
But don’t forget solid cybersecurity
This reminder should prompt organizations to always be attentive and to always use strong cybersecurity.
Several months ago, Paubox released its own top cybersecurity tips for healthcare organizations. We focused on three hot topics: employee training, email encryption (i.e., email security), ditching the fax, and two-factor authentication (2FA).
RELATED: What’s the difference between 2FA and MFA?
Here, given what is discussed above, we’d like to add:
- Secure and monitor remote desktop protocol
- Update or replace legacy systems
- Incorporate Zero Trust Email (like Paubox Email Suite Plus)
Ultimately, the latest letter from HHS should serve as a needed reminder to always remain vigilant. Letting your guard down puts your organization and your patients at risk.