Also known as the “Wall of Shame,” the cases currently under investigation by the U.S. Department of Health and Human Services detail hundreds of violations reported by healthcare organizations around the world. United States in the past 24 months. The number of threats and the cost of those threats – continues to increase.
While healthcare industry organizations work with federal lawmakers on ways for the government to help address the relentless cyberattacks on critical healthcare infrastructure, The industry is highly focused on issues such as how to move the needle for third-party cybersecurity, working together to improve cyber preparedness, and best practices for catching up. investigating cybercrime. This is Healthcare IT News‘ the most read privacy and cybersecurity stories of 2022.
EHR provider faces lawsuit after data breach. In January, Tennessee-based QRS, which provides EHR and practice management software, was accused of failing to implement recommended threat prevention measures to prevent and detect attacks. The cyber publicity stemmed from the August 2021 data leak of their patient portal. “QRS was unable to properly secure, monitor, and maintain protected health information and personally identifiable information stored on its patient portal,” the plaintiff said.
CommonSpirit is still working to restore the EHR system after the ransomware attack was confirmed. The October cyberattack caused widespread outages at CommonSpirit hospitals and medical facilities across several states. After the merger of DignityHealth and Catholic Health Initiatives in 2017, the system became the second largest nonprofit hospital chain with more than 350 hospitals nationwide. Loss of access to medical records and patient portals, delayed medical procedures, canceled appointments and other disruptions have hampered the operations of more than 140 facilities. Upon further investigation, CommonSpirit discovered that the breach also exposed protected data held by Virginia Mason Franciscan Health.
PATCH Act seeks to enhance security for medical devices, IoT networks. In April, Senators Tammy Baldwin, D-Wisconsin and Dr Bill Cassidy, R-Louisiana introduced the Network Health Care Transformation and Protection Act to implement a new set of requirements for medical devices. economy and network security. Although the PATCH Act, which would amend the Food, Drug, and Cosmetic Act, hasn’t been passed this year, the FDA released draft cybersecurity guidelines for medical devices in April and worked with MITRA to release an incident preparedness and response handbook.
FBI points out cybersecurity risks of outdated medical devices. The Federal Bureau of Investigation has issued recommendations to address a number of cyber security vulnerabilities in active medical devices such as insulin pumps, defibrillators, remote portable heart monitors, and pacemakers. heart rate and analgesia pump in the shell. The agency found an average of 6.2 vulnerabilities per medical device, and 40% of medical devices are at the end of their lifecycles offering little or no security patches or upgrades. . hospital
FBI, CISA warn about Zeppelin ransomware targeting healthcare sector. In August, the FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issued a joint warning that the Zeppelin ransomware, a derivative of the Vega malware family, was based at Delphi, is being used in cyberattacks against healthcare organizations. Cybercriminals have deployed Zeppelin against a range of critical infrastructure organizations since 2019, demanding high ransom payments in bitcoin and stealing data, according to CISA. The alert outlines tactics, techniques and procedures, as well as possible incidents, as well as recommendations to help hospitals and health systems reduce risk.
Cybersecurity incident disrupts operations at Tenet hospitals. In April, Dallas-based Tenet Healthcare Group disrupted some of its more than 550 acute care operations, including denying ambulances in Massachusetts and losing access into EHRs in Florida. The company halted operations due to the network breach and provided some details in its announcement a week later.
Kaiser Permanente employee accused of violating EHR. In November, Kaiser Foundation Health Plan of the Mid-Atlantic States announced that one of its staff members inappropriately accessed portions of a patient’s medical records, disclosing demographics and information patient medical information, including photos. During insider threats discussions at the recent HIMSS 2022 Cybersecurity Forum, many healthcare IT professionals expressed their concerns about access management.
Hospitals still haven’t dealt with their IoT devices. The HealthCare 2022 Connected Device Insecurity report released by Cynerio and the Ponemon Institute shortly after mid-year detailed several alarming trends facing the healthcare sector, including repeated and widespread attacks, financial losses in the millions of dollars, and frequent failure to implement basic cybersecurity measures.
FDA releases draft guidance on medical device cybersecurity. Replacing guidance issued in 2018, the FDA published draft guidance in April to help ensure that medical devices marketed are adequately protected against cybersecurity threats. . The agency has accepted comments on “Cybersecurity in Medical Devices: Quality System Considerations and the Content of Advance Marketing Submissions” through the end of July.
Report shows direct link between hospital cyberattacks and patient mortality. Based on a poll of more than 640 IT and security leaders, the Ponemon Institute found that 89% of organizations surveyed experienced an average of 43 attacks in the past year – averaging almost one attack per day. week. The September report found that of the health systems that experienced the four most common types of cyberattacks, 20% said they subsequently experienced increased patient mortality.
Andrea Fox is the senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a publication of HIMSS.
