We understand that resources are tight, and you likely don’t have time to dissect every reported incident. You may say, ‘I not only have no time, but I wouldn’t know where to start.’
Sensato CEO John Gomez has done the work for you by reviewing a real-life cyberattack (Oklahoma State University - Center for Health Sciences) and the OCR findings. The video is a deep dive review of the OCR findings so that you can do the following:
1) Learn how you can review and dissect future events to learn what you should do differently
2) Understand the details from this breach and make some adjustments to your environment
Background of the Breach:
Oklahoma State University Center for Health Sciences (OSU-CHS) reported a breach of Protected Health Information (PHI) to the Office of Civil Rights (OCR) on January5, 2018, that impacted 279,865 individuals.
The Incident: An unauthorized 3rd party gained access to a web server and uploaded malware – PHI was stored on this webserver. The first date the person accessed the server was on March 9, 2016. At the time of the incident, OSU-CHS was unaware that PHI was stored on the server.
OCR Findings: A fine of $875,000 was levied for OSU-CHS +corrective actions that need to happen within a defined period.
Things to Know:
· All breaches are listed on the OCR website (HHS.gov) and open to public view – this is an excellent place to review the incidents as we do in the video
· OCR will not bring a civil suit against a hospital; however, the OCR findings can lay the foundation for civil claims against you (as has already been seen in other instances)
· Walking through the OCR findings can help you evaluate if you have holes in your cybersecurity plan. Now is the time to review your plans, don’t wait until you are a cyberattack victim.
Things to Consider:
· Know where your PHI is located – in this case, OSU-CHS did not know at the time of the incident if PHI was located on the server.
Action: Inventory and document what systems are storing PHI
· Cyber liability insurance – in this example, it’s likely that your cyber liability insurance would not apply – if HHS finds that you have many items to correct, it’s possible you attested to your cyber liability insurance company that you already did these things. Therefore, they likely won’t pay. There’s often language in the cyber liability insurance that states “must adhere to cybersecurity best practices,” and insurance companies can use this as a catch-all to not honor claims.
· Review Policies and Procedures – you should do a quarterly review to determine if your policies are meeting current threats and best practices (OCR says annually, but it’s best practice to do it quarterly)
Corrective Action Plans:
In addition to OSU-CHS paying a hefty fine, they also need to pay to implement corrective actions. Detailing corrective actions is a newer approach from OCR. Could this be a trend where they levy a minor fine but mandate corrective action needs to occur within a defined period; otherwise, they could come back and levy more fines?
Here are some corrective actions that OSU-CHS must take (as mandated in the OCR findings). You can use these steps to check your cybersecurity program to ensure these items are in place:
· Conduct a Risk Analysis of systems with PHI –see Word of Caution about this below
· Document a Risk Management plan to address and identify security threats
· Develop, maintain, and revise written policies and procedures
· Train employees on the policies and procedures that relate to their job function – and show that they “understand.”
· Not provide employees access to PHI that have not completed the training (again, therefore, it’s essential to know where your PHI is stored)
· All materials need to be provided to HHS – do you have all these materials?
A Word of Caution: Don’t subscribe to “Compliance Island Syndrome,” where you decide only to protect or assess systems that contain PHI. This is a bad idea from a security perspective because attackers can gain access to any part of your network and then access PHI. Even though OCR, in this case, only mandates that OSU do a risk assessment of their systems with PHI, we recommend including all systems. A civil suit will look at your organization holistically, not just those systems with PHI.
Even if you have monitoring tools in place, but your policy and procedures aren’t followed, if you aren’t conducting employee training, and if you aren’t paying attention to the current threat landscape, you could easily be in the same position as OSU-CHS. There is a lot more detail in the 30-minute video, which reviews the OCR findings from the HHS website. This is a great learning tool for all healthcare organizations.
Watch the video here.
Sensato has services and solutions, making compliance, detection, and response easier for you. We take the burden off your teams and provide policies and procedures, risk assessments, and complete network detection, including 24x7 eyes-on-glass. Learn more here.
Contact us at firstname.lastname@example.org for more information.