Congressional Hearing on HHS Cybersecurity

PHI Security Emphasized

Congressman Tim Murphy chaired a recent hearing on the HHS cybersecurity role. The hearing included a review of two reports that HHS was required to submit to Congress, following the implementation of the Cybersecurity Information Sharing Act (CISA) of 2015. The reports outline the department’s internal cybersecurity processes and industry recommendations for what the federal government and industry can do to improve cybersecurity efforts in the health care sector. The backdrop to the hearing was the “WannaCry” ransomware attack that has hit countries around the world. As with other cyberattacks, ransomware spreads through a phishing attack, which involves tricking email recipients into installing malicious software that encrypts the system and causes users to lose access to their documents. The user is then prompted to pay a ransom in order to have his or her system restored. For health care providers, concern involves not only the business, but also the risk of breaches of protected health information (PHI).

Discussions during the hearing included the creation of the Health Cybersecurity and Communications Integration Center (HCCIC) and the Health Care Industry Cybersecurity Task Force. Both have identified areas in which HHS can and should help improve the nation’s cybersecurity. One of the major challenges is maintaining security across unique platforms and devices needed to provide appropriate and timely patient care. Although the health care and public health sectors have both improved their ability to manage cybersecurity events, maintaining the balance between securing important data and protecting patient privacy needs continuous evaluation and adjustment. The Task Force identified six imperatives:

1. Define and streamline governance and expectations for cybersecurity;
2. Increase the security of medical devices;
3. Create the workforce capacity necessary to prioritize cybersecurity awareness;
4. Increase readiness via cybersecurity awareness and education;
5. Find ways to protect R&D efforts and intellectual property from attacks; and
6. Improve information sharing of threats and weaknesses.

Safeguarding Tips

Health care organizations should consider the following in protecting themselves against data breaches, malware, and ransomware.

1. Don’t assign responsibility for cybersecurity to someone at a low level in the organization.
2. Ensure software products are up to date with the most recent patches at all times.
3. Establish an aggressive patching schedule for all software.
4. Implement policies and procedures for precautions against malware.
5. Train employees to not click on suspicious email links or attachments, or to respond to phishing inquiries.
6. Regularly test users to make sure they are on alert for potential cybersecurity threats.
7. Configure email servers to block zip or other files that are likely to be malicious.
8. Restrict permissions for database and network access as needed.
9. Grant access to systems on a need to know standard.
10. Limit employee access to files on a single server to prevent the potential spread of viruses.
11. Focus security efforts on those files that are most critical, such as patient records.
12. Conduct a risk analysis to identify ePHI vulnerabilities and ways to mitigate them.
13. Maintain frequent data backups to permit restoring of lost data in case of an attack.
14. Regularly take full snapshots of data and store them offline.
15. Monitor email carefully and do not open email attachments from unknown parties.
16. Conduct regular systems tests to flag vulnerabilities before a hacker can gain access.
17. Develop a business continuity plan to prevent downtime.
18. Maintain disaster recovery and emergency operation plans.
19. Prevent spread of attacks by disconnecting infected systems from a network, disabling Wi-Fi, and removing USB sticks or connected external hard drives.
20. Establish real-time data backups to permit work to continue.

Have Compliance Questions? Contact Our Experts

Strategic Management Services has healthcare compliance experts with years of experience evaluating compliance programs. If you have questions regarding how to protect against cybersecurity attacks or about your compliance program, give us a call at (703) 683-9600 or contact us online.