Healthcare IT Update: Key Considerations for Data Security Threats

Related Practice Areas


Healthcare IT Update: Key Considerations for Data Security Threats

Healthcare IT Update

 | February 27, 2017

Healthcare and regulatory partner Julia Hesse recently led a discussion on data security threats at HIMSS17 - the annual Healthcare Information Management Systems Society conference. Here are the key take-aways from her presentation.

Data Security: Threat Assessment in the Ransomware Age

The “internet of things” and connected devices are drastically increasing risk of malicious cyberattack. Why?

  • Any device that is connected to a provider’s network can be used as an entry point.
  • The HIMSS17 floor featured connected devices ranging from patient engagement systems and virtual-reality enhanced imaging to internet connected lightbulbs.
  • Consumer and standard commercial products sold to hospital entities also a potential threat (TV, HVAC, copier/printer)
  • Security specialists have found that providers are not aware of (and not tracking, security patching or inventorying) about 40% of the devices connected to that provider’s network.

Ransomware attacks are real, and pose an immediate threat to providers and vendors of all sizes. Why?

  • Federal regulators estimate that 4,000 ransomware attacks were made on U.S. hospitals each day of calendar year 2016.
  • Ransomware is available for free, to anyone who seeks it on the dark web.
  • Ransomware propagates through a system laterally and encrypts all data it finds.
  • Encryption protocols are so advanced that it is virtually impossible to break the encryption code.
  • Vendors whose software and systems are used as the entry point for an attack will be subject to negligence and other tort claims if their security protocols are insufficient.
  • An entity’s best defense is to have a robust and immediately available back-up system to rely on in the case of attack.

Consider obtaining SAFETY Act certification for your organization’s programs or systems – and requiring your software vendors to obtain it. Why?

  • The SAFETY Act allows organizations to seek certification from the Department of Homeland Security that the service or product meets defined security standards.
  • It eliminates or minimizes tort liability for organizations that have received SAFETY Act certification in the event of a cyberattack.

The era of HIPAA enforcement has begun.

  • HIPAA regulators entered into more settlements in the past year than they have over the entire life of HIPAA combined.
  • Provider organizations are not the only entities in the cross-hairs – regulators are focusing enforcement attention on business associates.
  • HIPAA regulators imposed more than $24 Million in penalties in 2016, and are on track to impose more than $65 Million in penalties in 2017.

Federal regulators are losing patience with organizations that have not conducted thorough security risk analysis.

  • Some of the largest penalties and corrective action plans of 2016 involved organizations that did not complete a risk analysis – or conducted one that was incomplete.
  • And those 40% of internet connected devices you don’t know about? Regulators are on record saying that they expect organizations to inventory their internet-connected devices and that they must include those in the organization’s risk assessment.

Thank you for reaching out to contact Choate. Before you send your message, we wanted to make sure you are aware of the following. Please do not send any confidential information in response to this link. Sending an e-mail to Choate does not give rise to an attorney-client relationship, and will not be deemed to disqualify Choate from undertaking any engagement for a current or future client.  Before any attorney-client engagement may be formed, Choate will need to check for possible conflicts of interest, you will need to consider whether you wish to retain Choate as counsel, and we will need to consider whether we wish to accept the potential engagement. In the meantime, Choate reserves the right to represent parties with interests adverse to you.