March 17, 2022
Throughout 2020 and 2021, hackers have targeted the health care industry seeking unauthorized access to valuable electronic protected health information (ePHI). The number of breaches of unsecured ePHI reported to the U.S Department of Health and Human Service’s Office for Civil Rights (OCR) affecting 500 or more individuals due to hacking or IT incidents increased 45% from 2019 to 2020.[i] Further, the number of breaches due to hacking or IT incidents accounted for 66% of all breaches affecting 500 or more individuals reported to OCR in 2020.[ii]
Although some attacks may be sophisticated and exploit previously unknown vulnerabilities (i.e., zero-day attack), most cyber-attacks could be prevented or substantially mitigated if HIPAA covered entities and business associates (“regulated entities”) implemented HIPAA Security Rule requirements to address the most common types of attacks, such as phishing emails,[iii] exploitation of known vulnerabilities, and weak authentication protocols. If an attack is successful, the attacker often will encrypt a regulated entity’s ePHI to hold it for ransom, or exfiltrate the data for future purposes including identify theft or blackmail. Cyber-attacks are especially critical in the health care sector as attacks on ePHI can disrupt the provision of health care services to patients. This newsletter explores preventative steps regulated entities can take to protect against some of the more common, and often successful, cyber-attack techniques.
One of the most common attack vectors is phishing. Phishing is a type of cyber-attack used to trick individuals into divulging sensitive information via electronic communication, such as email, by impersonating a trustworthy source.[iv] A recent report noted that 42% of ransomware attacks in Q2 2021 involved phishing.[v] All regulated entities’ workforce members should understand they have an important role in protecting the ePHI their organization holds from cyber-attacks. Part of that role involves being able to detect and take appropriate action if one encounters suspicious email. To ensure workforce members can take appropriate action, regulated entities should train their workforce members to recognize phishing attacks and implement a protocol on what to do when such attacks or suspected attacks occur (e.g., report suspicious emails to appropriate IT personnel).
The Security Rule requires regulated entities to implement a security awareness and training program for all workforce members.[vi] A regulated entity’s training program should be an ongoing, evolving process and be flexible enough to educate workforce members on new and current cybersecurity threats (e.g., ransomware, phishing) and how to respond. Management personnel should also participate, as senior executives may have greater access to ePHI and are often targeted in phishing email attacks (e.g., whaling[vii]).
Regulated entities should follow up on security training with periodic security reminders. The Security Rule includes an addressable[viii] provision for such reminders.[ix] An example of a security reminder is sending simulated phishing emails to workforce members to gauge the effectiveness of their security awareness and training program and offer additional, targeted training where necessary. An educated workforce can be an effective first line of defense and an integral part of a regulated entity’s strategy to defend, mitigate, and prevent cyber-attacks. Unfortunately, security training can fail to be effective if it is viewed by workforce members as a burdensome, “check-the-box” exercise consisting of little more than self-paced slide presentations. Regulated entities should develop innovative ways to keep the security trainings interesting and keep workforce members engaged in understanding their roles in protecting ePHI.
In addition to education, regulated entities can mitigate the risk of phishing attacks by implementing anti-phishing technologies. Anti-phishing technologies can take several approaches. One approach examines and verifies that received emails do not originate from known malicious sites. If an email is suspected of being a threat, it can be blocked and appropriate personnel notified. Other approaches can involve scanning web links or attachments included in emails for potential threats and removing them if a threat is detected. Newer techniques can leverage machine learning or behavioral analysis to detect potential threats and block them as appropriate. Many available technology solutions use a combination of these approaches.
Regulated entities are required to ensure the integrity of ePHI by implementing “policies and procedures to protect ePHI from improper alteration or destruction.”[x] In addition, the Security Rule requires regulated entities to assess and reduce risks and vulnerabilities to the availability of ePHI (as well as its confidentiality and integrity), which is defined as “the property that data or information is accessible and useable upon demand by an authorized person.”[xi] Anti-phishing technologies can impede or deny the introduction of malware that may attempt to improperly alter, destroy, or block authorized access to ePHI (e.g., ransomware), and thus can be a helpful tool to preserve the integrity and availability of ePHI.
Combining an engaged, educated workforce with technical solutions gives regulated entities the best opportunity to reduce or prevent phishing attacks.
Exploiting Known Vulnerabilities
Hackers can penetrate a regulated entity’s network and gain access to ePHI by exploiting known vulnerabilities. A known vulnerability is a vulnerability whose existence is publicly known. The National Institute of Standards and Technology (NIST) maintains the National Vulnerability Database (NVD),[xii] which provides information about known vulnerabilities. Exploitable vulnerabilities can exist in many parts of a regulated entity’s information technology infrastructure (e.g., server, desktop, and mobile device operating systems; application, database, and web software; router, firewall, and other device firmware). Often, known vulnerabilities can be mitigated by applying vendor patches or upgrading to a newer version. If a patch or upgrade is unavailable, vendors often suggest actions to take to mitigate a newly discovered vulnerability. Such actions could include modifications of configuration files or disabling of affected services. Regulated entities should pay careful attention to cybersecurity alerts describing newly discovered vulnerabilities. These alerts (several sources of which are enumerated below) often include information on mitigation activities and patching.
Although older applications or devices may no longer be supported with patches for new vulnerabilities, regulated entities should still take appropriate action if a newly discovered vulnerability affects an older application or device. Regulated entities should upgrade or replace obsolete, unsupported applications and devices (legacy systems). However, if an obsolete, unsupported system cannot be upgraded or replaced, additional safeguards should be implemented or existing safeguards enhanced to mitigate known vulnerabilities until upgrade or replacement can occur (e.g., increase access restrictions, remove or restrict network access, disable unnecessary features or services).[xiii]
Regulated entities are required to implement a security management process to prevent, detect, contain, and correct security violations.[xiv] This process includes conducting a risk analysis to assess potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI and implementing security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.[xv] The HIPAA Security Rule requires the risk analysis to be accurate and thorough, and thus it should include processes that identify potential technical and non-technical[xvi] vulnerabilities. Technical vulnerabilities may include “holes, flaws or weaknesses in the development of information systems; or incorrectly implemented and/or configured information systems.”[xvii]
Regulated entities can identify technical vulnerabilities to include in their risk analysis in a number of ways including:
- subscribing to Cybersecurity and Infrastructure Security Agency (CISA) alerts[xviii] and bulletins;[xix]
- subscribing to alerts from the HHS Health Sector Cybersecurity Coordination Center (HC3);[xx]
- participating in an information sharing and analysis center (ISAC) or information sharing and analysis organization (ISAO);
- implementing a vulnerability management program that includes using a vulnerability scanner to detect vulnerabilities such as obsolete software and missing patches; and
- periodically conducting penetration tests to identify weaknesses that could be exploited by an attacker.
Regulated entities should not rely on only one of the above techniques, but rather should consider a combination of approaches to properly identify technical vulnerabilities within their enterprise. Once identified, assessed, and prioritized, appropriate measures need to be implemented to mitigate these vulnerabilities (e.g., apply patches, harden systems, retire equipment).
Weak Cybersecurity Practices
A regulated entity that has weak cybersecurity practices makes itself an attractive soft target. Weak authentication requirements are frequent targets of successful cyber-attacks (over 80% of breaches due to hacking involved compromised or brute-forced credentials).[xxi] Weak password rules and single factor authentication are among the practices that can contribute to successful attacks. Once inside an organization, weak access controls can further contribute to an attacker’s ability to compromise systems by accessing privileged accounts, moving to multiple computer systems, deploying malicious software, and exfiltrating sensitive data.
Regulated entities are required to verify that persons or entities seeking access to ePHI are who they claim to be by implementing authentication processes.[xxii] A regulated entity’s risk analysis should guide its implementation of appropriate authentication solutions to reduce the risk of unauthorized access to ePHI. For example, authenticating users that access a regulated entity’s systems remotely (e.g., working from home) may present a higher level of risk to a regulated entity’s ePHI than users logging into their desktop computer at work. To appropriately reduce the higher level of risk of remote access, a regulated entity may consider implementing stronger authentication solutions, such as multi-factor authentication.
Implementing access controls that restrict access to ePHI to only those requiring such access is also a requirement of the HIPAA Security Rule.[xxiii] Here, too, the risk analysis should guide the implementation of appropriate access controls. For example, a regulated entity may determine that because its privileged accounts (e.g., administrator, root) have access that supersedes other access controls (e.g., role- or user-based access) – and thus can access ePHI, the privileged accounts present a higher risk of unauthorized access to ePHI than non-privileged accounts. Not only could privileged accounts supersede access restrictions, they could also delete ePHI or even alter or delete hardware or software configurations, rendering devices inoperable. To reduce the risk of unauthorized access to privileged accounts, the regulated entity could decide that a privileged access management (PAM) system is reasonable and appropriate to implement. A PAM system is a solution to secure, manage, control, and audit access to and use of privileged accounts and/or functions for an organization’s infrastructure. A PAM solution gives organizations control and insight into how its privileged accounts are used within its environment and thus can help detect and prevent the misuse of privileged accounts.
Regulated entities should periodically examine the strength and effectiveness of their cybersecurity practices and increase or add security controls to reduce risk as appropriate. Regulated entities are required to periodically review and modify implemented security measures to ensure such measures continue to protect ePHI.[xxiv] Further, regulated entities are required to conduct periodic technical and non-technical evaluations of implemented security safeguards in response to environmental or operational changes affecting the security of ePHI to ensure continued protection of ePHI and compliance with the Security Rule.[xxv] Examples of environmental or operational changes could include: the implementation of new technology, identification of new threats to ePHI, and organizational changes such as a merger or acquisition.
Although malicious attacks targeting the health care sector continue to increase, many of these attacks can be prevented or mitigated by fully implementing the Security Rule’s requirements. Unfortunately, many regulated entities continue to underappreciate the risks and vulnerabilities of their actions or inaction (e.g., increased risk of remote access, unpatched or unsupported systems, not fully engaging workforce in cyber defense). The standards and implementation specifications of the HIPAA Security Rule provide a baseline for protecting ePHI. This document cites only a small sample of Security Rule requirements that can assist organizations in combatting cyber-attacks. The Security Rule in its entirety provides a foundation for helping regulated entities ensure the confidentiality, integrity, and availability of their ePHI. Further, HHS is collaborating with its industry partners, through the HHS 405(d) Aligning Health Care Industry Security Approaches Program, to provide the HPH sector with useful and impactful resources, products, and tools that help raise awareness and provide vetted cybersecurity practices, to combat cybersecurity threats common.
- OCR Director Lisa J. Pino’s February 22, 2022 Blog Post, Improving the Cybersecurity Posture of Healthcare in 2022: https://www.hhs.gov/blog/2022/02/28/improving-cybersecurity-posture-healthcare-2022.html
- 2020 Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance: https://www.hhs.gov/sites/default/files/compliance-report-to-congress-2020.pdf
- 2020 Annual Report to Congress on Breaches of Unsecured Protected Health Information: https://www.hhs.gov/sites/default/files/breach-report-to-congress-2020.pdf
- OCR Phishing Cybersecurity Newsletter: https://www.hhs.gov/sites/default/files/cybersecurity-newsletter-february-2018.pdf
- Cybersecurity and Infrastructure Security Agency’s Ransomware resources for the Healthcare and Public Health Sector: https://www.cisa.gov/stopransomware/healthcare-and-public-health-sector
- NIST Phish Scale Rating System: https://www.nist.gov/news-events/news/2020/09/phish-scale-nist-developed-method-helps-it-staff-see-why-users-click
- NIST National Vulnerability Database: https://nvd.nist.gov
- OCR Cyber Security Incident Checklist: https://www.hhs.gov/sites/default/files/cyber-attack-checklist-06-2017.pdf
- NIST Security Configuration Checklists: https://csrc.nist.gov/Projects/National-Checklist-Program
- SRA Tool: https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool
- ONC 7 Step Approach for Implementing a Security Management Process: https://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide-chapter-6.pdf
- ONC/OCR Guide to Privacy & Security of Electronic Health Information: https://www.healthit.gov/topic/health-it-resources/guide-privacy-security-electronic-health-information
* This document is not a final agency action, does not legally bind persons or entities outside the Federal government, and may be rescinded or modified in the Department’s discretion.
[iii] “A technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a web site, in which the perpetrator masquerades as a legitimate business or reputable person.” See https://csrc.nist.gov/glossary/term/phishing.
[iv] See OCR February 2018 Phishing Cybersecurity Newsletter https://www.hhs.gov/sites/default/files/cybersecurity-newsletter-february-2018.pdf.
[vi] See 45 CFR 164.308(a)(5)(i): Standard: Security Awareness and Training.
[viii] See 45 CFR 164.306(d)(3). Addressable implementation specifications require regulated entities to assess whether an implementation specification is a reasonable and appropriate safeguard in its environment, and if so to implement it. If a particular implementation specification is not reasonable and appropriate, entities must document why, and implement equivalent alternative measures if reasonable and appropriate.
[ix] See 45 CFR 164.308(a)(5)(ii)(A): Implementation Specification: Security Reminders (addressable).
[x] See 45 CFR 164.312(c)(1): Standard: Integrity.
[xi] See 45 CFR 164.308(a)(1)(ii)(A)-(B): Implementation Specification: Risk Analysis (required), Implementation Specification: Risk Management (required); see also 45 CFR 164.304 (definition of “Availability”).
[xiii] See OCR Fall 2021 Cybersecurity Newsletter. https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity-newsletter-fall-2021/index.html.
[xiv] See 45 CFR 164.308(a)(1)(i): Standard: Security Management Process.
[xv] See 45 CFR 164.308(a)(1)(ii)(A)-(B): Implementation Specification: Risk Analysis (required), Implementation Specification: Risk Management (required).
[xvi] “Non-technical vulnerabilities may include ineffective or non-existent policies, procedures, standards or guidelines.”, U.S. Department of Health and Human Services Office for Civil Rights. Guidance on Risk Analysis Requirements under the HIPAA Security Rule. (2010, p. 3). See https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf.
[xxi] Verizon. 2020 Data Breach Investigations Report. (2020, p. 19). Retrieved from https://enterprise.verizon.com/resources/reports/2020/2020-data-breach-investigations-report.pdf
[xxii] See 45 CFR 164.312(d): Standard: Person or Entity Authentication.
[xxiii] See 45 CFR 164.312(a)(1): Standard: Access Control.
[xxiv] See 45 CFR 164.306(e): Maintenance.
[xxv] See 45 CFR 164.308(a)(8): Standard: Evaluation.