Ransomware resource established by Department of Homeland Security
On July 14, 2021, the U.S. Department of Homeland Security (DHS) launched a website intended to serve as a one-stop hub for ransomware resources. DHS stated that ransomware is a growing national security threat: $350 million in ransom was paid in 2020, and there have already been notable ransomware attacks in 2021. The intent of the new website is to collect resources from all federal agencies to assist organizations in protecting themselves against ransomware attacks and respond to incidents.
For the health care sector, the site links to several updates and resources, including resources compiled by the Cybersecurity Act of 2015, Section 405(d) Task Group. The task group created a publication in 2018 entitled Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients, two technical volumes on cybersecurity practices for small health care organizations and for medium to large health care organizations, and a volume of resources and templates. The Task Group identified the ten most effective actions to mitigate common threats to the health care system: email protection systems; endpoint protection systems; access management; data protection and loss prevention; asset management; network management; vulnerability management; incident response; medical device security; and cybersecurity policies.
- Details
- Published: 25 July 2021 25 July 2021
USCDI is updated to support electronic exchange of sexual orientation, gender identity and SDOH
The Office of the National Coordinator for Health Information Technology (ONC) released version 2 of the United States Core Data for Interoperability (USCDI) on July 9, 2021. The new USCDI includes three new data classes and 22 new data elements, including data elements for sexual orientation and gender identity and four data elements for social determinants of health (SDOH). ONC discusses the updated standards in the July 2021 issue of ONC Health IT Standards Bulletin. ONC intends that the collection, access, use and reporting of standardized SDOH, sexual orientation and gender identity data can help identify and address differences in health equity. In addition to the SDOH, sexual orientation and gender identity elements, version 2 of USCDI includes new data classes and elements for clinical tests, diagnostic imaging and encounter information. ONC also announced that suggestions for new data classes or elements for the next version of USCDI will be accepted until September 30, 2021.
- Details
- Published: 18 July 2021 18 July 2021
HHS warns that many PACS systems still have cybersecurity vulnerabilities
The Health Sector Cybersecurity Coordination Center (HC3) warns that many Picture Archiving Communication Systems (PACS) continue to have unpatched cybersecurity vulnerabilities, even though researchers identified vulnerabilities in these systems in 2019. PACS systems use the Digital Imaging and Communications in Medicine (DICOM) format, which was developed three decades ago. PACS systems can include security vulnerabilities such as known default passwords, hardcoded credentials and lack of authentication within third party software. Vulnerable PACS servers can cause patient information to be exposed and malware to be introduced into connected clinical networks. The HC3 report lists 23 vulnerable PACS devices, noting that the list is not all-inclusive.
To mitigate PACS vulnerabilities, HC3 suggests the following:
- validate connections to ensure access is limited to only authorized users
- enable secure connections (HTTPS) for internet connected systems
- place PACS systems behind a firewall and require access via a virtual private network (VPN).
- Details
- Published: 18 July 2021 18 July 2021
OIG urges CMS to include cybersecurity in hospital surveys
The Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) issued a report dated June 2021 on oversight by the Centers for Medicare and Medicaid (CMS) of hospitals' cybersecurity controls for networked medical devices. The OIG concluded that consistent oversight was lacking. CMS's survey protocols do not explicitly address cybersecurity, nor do audit practices of the accreditation organizations (AOs). The OIG points out that hospitals have increasingly become targets of ransomware attacks. While most such attacks have affected electronic health record (EHR) systems, there was a ransomware attack in 2017 that infected radiology equipment. Because many radiology, laboratory and other systems connect to the EHR, malignant code introduced into networked devices can affect the entire EHR system.
Direct responsibility for hospital surveys rests with the AOs as well as the state survey agencies (typically, the state department of health). State survey agencies follow guidelines in CMS's State Operations Manual, including Appendix A applicable to hospital surveys, which includes the Medicare Conditions of Participation (CoPs) for hospitals and the Interpretive Guidelines, which provide more detailed instructions on application of the CoPs. The AOs establish their own audit guidelines, which are required to be at least as stringent as those contained in the State Operations Manual.
- Details
- Published: 26 June 2021 26 June 2021
Latest articles
- Illinois expands access to telehealth services and mandates certain insurance coverage
- Ransomware resource established by Department of Homeland Security
- H.R. 2980 - Cybersecurity Vulnerability Remediation Act
- S. 658 - National Cybersecurity Preparedness Consortium Act of 2021
- ONC plans national health information network to begin in 2022
Trending
- S. 2061 and HR 4058 - Telemental Health Care Access Act
- USCDI is updated to support electronic exchange of sexual orientation, gender identity and SDOH
- Illinois expands access to telehealth services and mandates certain insurance coverage
- ONC plans national health information network to begin in 2022
- HHS warns that many PACS systems still have cybersecurity vulnerabilities