Knowledge is the best attack deterrent, so check out our cyber security updates
24By7Security, Inc.

Healthcare Cybersecurity Biweekly Newsletter - June 21st, 2017

OCR Issues Guidance on the Correct Response to a Cyberattack

Department of Health and Human Services’ Office for Civil Rights recently issued a quick response checklist and accompanying infographic to explain the correct response to a cyberattack and the sequence of actions that should be taken.

  1. Responding to an ePHI Breach: Organizations must have response and mitigation procedures in place and contingency plans.
  2. Cyberattacks Should be Reported to Law Enforcement: Covered entities should alert the FBI and/or Secret Service to any cyberattack or ransomware incident and notify state and local law enforcement.
  3. Sharing Threat Indicators: After law enforcement has been notified, covered entities should report cyber threat indicators to federal and information sharing and analysis organizations (ISAOs).
  4. Notifying Affected Individuals and OCR: Covered entities must submit a separate breach notice to OCR no later than 60 days following the discovery of the breach if the incident impacts 500 or more individuals. Covered entities can notify OCR of a breach impacting fewer than 500 individuals within 60 days of the end of the calendar year in which the breach was discovered.

OCR Reminds Covered Entities of Security Incident Definition and Notification Requirements

Department of Health and Human Services’ Office for Civil Rights issued a reminder to covered entities about HIPAA Rules on security breaches. OCR explains what constitutes a HIPAA security incident, preparing for such an incident and how to respond when perimeters are breached.

Security Incident: It is defined as “an attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.”

HIPAA Breach Notification Rule: This rule requires OCR to be notified of a breach and notifications to be sent to patients in the event of “an impermissible acquisition, access, use, or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the protected health information.”


Healthcare Hacking Leading Cause for 2017 Incidents

Four of the top five reported data breach incidents thus far in 2017 are caused by healthcare hacking, according to OCR.

  1. A phishing scam allowed 80,270 Washington University School of Medicine patient data to potentially be accessed.
  2. Indiana-based VisionQuest Eyecare discovered a cyber attack on its network which affected  85,995 individuals.
  3. Harrisburg Gastroenterology and the Harrisburg Endoscopy and Surgery Center reported that an unauthorized individual viewed patient information of 93,323 and 9,092 patients respectively.
  4. Texas-based Urology Austin reported that it experienced a ransomware attack where 279,663 individuals had been affected.
  5. Commonwealth Health Corporation, reported that a former employee accessed certain patient billing information without authorization. 697,800 individuals had their data impacted.  

Implementing HIPAA Technical Safeguards for Data Security

Covered entities should understand the definition of HIPAA technical safeguards so they can implement applicable ones into daily operations. HIPAA technical safeguards are just one key consideration for covered entities and business associates, and should be utilized as part of a larger cybersecurity approach. Technical safeguards are technology and its related policies and procedures that are implemented to help ensure ePHI security. The Technical Safeguards standards apply to all EPHI. Common technical safeguard options can include, but are not limited to the following: anti-virus software, multi-factor or two-factor authentication, data encryption, de-identification of data, firewalls, mobile device management (MDM), remote wipe capability.

While no healthcare organization can guarantee that a data breach or security incident will never happen, utilizing the necessary safeguards can help prevent them from occurring.


Five Steps to HIPAA Compliance

View this brief video on five steps to HIPAA Compliance – a must for all physicians and their staff.

Upcoming Events!

ISSA 2017 International Conference - Oct 9 - 11, 2017

Michael Brown of 24By7Security, Inc. will be speaking on Cyber Resilience at the ISSA 2017 International Conference being hosted at the Sheraton Hotel and Marina in San Diego, California.

More Information....

Georgia ISSA Atlanta Conference - Nov 15, 2017 @ 8:00 am

24By7Security is pleased to sponsor Atlanta’s premier security conference, “Paradigm of Dependable Security” and will be exhibiting and networking there.

More Information....

Data Connectors Fort Lauderdale Tech-Security Conference - Dec 14, 2017

24By7Security is pleased to sponsor the Data Connectors Fort Lauderdale Tech-Security Conference at Fort Lauderdale, Florida.

More Information....

Facebook Twitter Linkedin Youtube Google Instagram

About us

24By7Security, Inc. is a full service Cybersecurity strategy, implementation, operations and training firm.  We provide Cybersecurity and compliance related services across all functions of the enterprise. Our services include CFPB/DFA, FIPA, FERPA, GLBA, HIPAA, PCI, SOX, and others.

Visit Our Website

24By7Security, Inc.

4613 N. University Drive, Suite #267

Coral Springs, Fl - 33067

(844) 55-CYBER