Also known as the “Wall of Shame,” the U.S. Department of Health and Human Services’ Cases Current Under Investigation details hundreds of breaches reported by U.S. healthcare organizations over the past 24 months. The number of threats and their costs continue to grow.
While healthcare industry organizations are working with members of Congress on ways to help governments address persistent cybersecurity attacks on critical healthcare infrastructure, the industry is pining the needle on third-party cybersecurity. It is highly focused on issues such as how to move and best practices for working together to improve cyber preparedness and initiate cybercrime investigations.It is here Healthcare IT NewsThe most read privacy and cybersecurity stories of 2022.
EHR vendor sued after data breachIn January, Tennessee-based QRS, which provides EHR and practice management software, implemented recommended threat controls to prevent and detect cyberattacks resulting from the August 2021 patient portal data breach. I was criticized for not being able to do it. “QRS failed to reasonably protect, monitor, and maintain the protected health information and personally identifiable information stored in the Patient Portal,” plaintiffs said.
CommonSpirit works to restore EHR systems after confirmed ransomware attackCyberattacks in October brought widespread outages to CommonSpirit hospitals and medical facilities across multiple states. After the merger of DignityHealth and Catholic Health Initiatives in 2017, the system became the second largest non-profit hospital chain with over 350 hospitals nationwide. Loss of access to medical records and patient portals, delayed medical procedures, canceled appointments, and other disruptions plagued operations at more than 140 facilities. Upon further investigation, CommonSpirit discovered that protected data held by Virginia Mason Franciscan Health had also been compromised.
PATCH Act aims to strengthen the security of medical devices and IoT networksIn April, Sen. Tammy Baldwin (D-Wisconsin) and Dr. Bill Cassidy (R-Louisiana) introduced the Cyber Healthcare Protection and Transformation Act to implement a set of new requirements for medical devices and network security. Did. Although the PATCH Act, which would amend the Food, Drug, and Cosmetic Act, was not passed this year, the FDA released his draft Medical Device Cybersecurity Guidance in April and is working with MITRA to prepare and respond to incidents. released a playbook.
FBI Spotlights Cybersecurity Risks of Outdated Medical DevicesFederal Bureau of Investigation Releases Recommendations to Address Numerous Cybersecurity Vulnerabilities in Active Medical Devices Such as Insulin Pumps, Cardiac Defibrillators, Mobile Cardiac Telemetry, Pacemakers, and Intrathecal Pain Pumps Did. The agency found an average of 6.2 vulnerabilities per medical device and found that 40% of medical devices at the end of their life have provided little or no security patches or upgrades.hospital
FBI and CISA Warn About Zeppelin Ransomware Targeting HealthcareIn August, the FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency jointly announced that Zeppelin ransomware, a derivative of the Delphi-based Vega malware family, was being used in cyberattacks targeting healthcare organizations. I have issued a warning. According to CISA, cybercriminals have been deploying Zeppelin against a wide range of critical infrastructure organizations since 2019, demanding hefty ransom payments in Bitcoin and exfiltrating data. Alerts outline tactics, techniques, procedures, resulting incidents, and recommendations to help hospitals and healthcare systems mitigate their risks.
Cybersecurity Incident Disrupts Tenet Hospital OperationsIn April, Dallas-based Tenet Healthcare Corporation disrupted some of its more than 550 acute care operations, including stopping ambulances in Massachusetts and losing access to EHRs in Florida. The company ceased operations as a result of the cyber breach and provided few details in an announcement a week later.
Kaiser Permanente employee suspected of violating EHRIn November, the Mid-Atlantic Kaiser Foundation Health Plan announced that one of its employees improperly accessed some of a patient’s medical records and released medical information, including patient demographics and photographs. Did. During his recent discussion of insider threats at his HIMSS 2022 Cybersecurity Forum, many healthcare IT professionals expressed concerns about access management.
Hospitals still can’t manage IoT devicesThe Connected Device Vulnerability Report 2022 in Healthcare, released just after midyear by Cynerio and The Ponemon Institute, found widespread and repeated attacks, millions in financial losses, and frequent failures of basic cybersecurity measures. Worrying trends in healthcare, such as failure, are detailed.
FDA Releases Medical Device Cybersecurity Draft GuidanceIn April, the FDA released draft guidelines to ensure medical devices on the market are sufficiently resilient to cybersecurity threats, replacing guidance issued in 2018. The FDA is accepting comments on “Medical Device Cybersecurity: Quality System Considerations and Premarket Submission Content” until July.
Report finds linear relationship between hospital cyberattacks and patient mortalityBased on a survey of over 640 IT and security leaders, the Ponemon Institute found that 89% of surveyed organizations experienced an average of 43 attacks in the past year. A September report said that of the four most common types of cyberattacks, 20% of health systems experienced a rise in patient mortality afterward.
Andrea Fox is senior editor for Healthcare IT News.
Email: [email protected]
Healthcare IT News is a HIMSS publication.