Web-Tones

That question is so broad that it can only be answered succinctly in the abstract. However for our purpose such a definition should work just fine. One such definition follows: "Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. In a computing context, security includes both cybersecurity and physical security."

- See more at: http://www.lawtechtv.com/home/2017/06/you-can-see-the-full-text-of-guidance-here-the-takeaway-from-hhs-guidance-post-wannacry-can-be-summarized-as-1-contingency.html#sthash.kQOU5BgU.dpuf

 

The answer to this question contains two related but ultimately separate and distinct parts: (1) a set of security controls not all that dissimilar from the CIS top 20; and (2) a coherent regulatory regime that is a set of regulations unique unto itself. To ignore the latter is to make a legal mistake that could lead to significant liability. That is why, in our view, reliance on "mapping mechanisms" such as HITRUST and ISO 27001 alone is potentially dangerous legally. 

 

No HHS auditor or court of law focusing on a HIPAA legal question is going to ask you whether or not you are in compliance with a section of HITRUST or ISO 27001. Although covered entities and business associates may use the latter as some sort of affirmative defense with respect to HIPAA compliance, the questions that HHS or a court are going to ask will reference specific sections of the HIPAA Rules. For example, the question won't be whether you conducted a Risk Assessment but whether you complied with Section 164-308(1)(ii)(a) "Risk Analysis (Required)."

 

At best your sole reliance on HITRUST or ISO 27001 (or any similar mapping mechanism) is likely going to make your defense harder, and therefore more expensive. At worst, relying on those mapping mechanisms could provide your organization a false sense of compliance that could lead to a finding of willful neglect.

- See more at: http://www.lawtechtv.com/home/2017/06/you-can-see-the-full-text-of-guidance-here-the-takeaway-from-hhs-guidance-post-wannacry-can-be-summarized-as-1-contingency.html#sthash.kQOU5BgU.dpuf

This article answers that question in the affirmative. Larger and larger data breaches are now an undeniable trend, which the available data clearly supports. The $$ quote form this article is:

Before 2009, the majority of data breaches were the fault of human errors like misplaced hard drives and stolen laptops, or the efforts of “inside men” looking to make a profit by selling data to the highest bidder. Since then, the volume of malicious hacking (shown in purple) has exploded relative to other forms of data loss. Increasingly sophisticated hacking has altered the scale of data loss by orders of magnitude. For example, an “inside job” breach at data broker Court Ventures was once one of the world’s largest single losses of records at 200 million. However, it was eclipsed in size shortly thereafter by malicious hacks at Yahoo in 2013 and 2014 that compromised over 1.5 billion records, and now larger hacks are increasingly becoming the norm.

This data visualization comes to us from Information is Beautiful. Go to their site to see the highly-recommended interactive format that visualizes the same data, while providing additional details on each specific hack.

- See more at: http://www.lawtechtv.com/home/2017/06/you-can-see-the-full-text-of-guidance-here-the-takeaway-from-hhs-guidance-post-wannacry-can-be-summarized-as-1-contingency.html#sthash.kQOU5BgU.dpuf

You can see the full text of the most recent guidance here. The takeaway from HHS' guidance post WannaCry can be summarized as (1) Contingency Plans (see below); and (2) Network Scans.

My entity just experienced a cyber-attack! What do we do now?
A Quick-Response Checklist from the HHS, Office for Civil Rights (OCR)

Has your entity just experienced a ransomware attack or other cyber-related security incident, and you are wondering what to do now? This guide explains, in brief, the steps for a HIPAA covered entity or its business associate (the entity) to take in response to a cyber-related security incident. In the event of a cyber-attack or similar emergency an entity:

1. Must execute its response and mitigation procedures and contingency plans...
2. Should report the crime to other law enforcement agencies...
3. Should report all cyber threat indicators to federal and information-sharing and analysis
   organizations (ISAOs)...
4. Must report the breach to OCR as soon as possible, but no later than 60 days after the
   discovery of a breach affecting 500 or more individuals...

OCR considers all mitigation efforts taken by the entity during in any particular breach investigation.

Such efforts include voluntary sharing of breach-related information with law enforcement agencies
and other federal and analysis organizations as described above.

Your network is the heartbeat of your organization; without it no emails get sent, no applications are accessed, no third-party resources of any kind are available—in short, to a large extent, no meaningful work of any kind gets done that requires communication with colleagues, both inside and outside of the organization. So, it goes without saying that to maintain your network’s heartbeat you must monitor it for signs of well-being. Compliance with the HIPAA rules (Privacy, Security and Breach Notification—collectively “Rules” or “the Rules”) also requires that you monitor your network.

Monitoring your network requires, among other things, that you regularly “scan” it to determine whether it is functioning properly and to what degree (if any) it is being compromised by persons or entities ("Persons") inside, or outside of your network.   Without periodic scans, there is no way to determine whether your network is being persistently accessed inappropriately or, worse yet, has already been penetrated by an adversary.

But for network scanning, it is highly improbable that organizations would have detected and mitigated the impact of the “WannaCry”[1] ransomware in a timely manner. The consensus today among cybersecurity experts is that your network’s perimeter can no longer be defended. You are therefore forced to assume that your network has, or will be, penetrated. No number of firewalls, proxy servers, and other perimeter defense mechanisms can prevent your adversaries from readily penetrating your outward facing defenses.

Of course, that does not mean that you do not continue to use these defenses, in fact you must. However, you must also assume that sophisticated adversaries will find a way in, and the critical question becomes “what happens then?” There are some experts who suggest that the best you can do is to apply your efforts toward significantly reducing the “dwell time”—that is, the amount of time that your adversary has already spent within your perimeter “poking around” for vulnerabilities to exploit.

Regardless of how you may choose to attack this challenge, regular periodic scans must be one of the tools in your toolset. Although the HIPAA Rules do not expressly state that network scans (“Scanning”) must be performed—it is inferred by HHS as a kind of “rule of reason;” because compliance with other parts of the Rules would be impossible without it. For example, HHS recently stated in guidance entitled: FACT SHEET: Ransomware and HIPAA[2] the following:

It is expected that covered entities and business associates will use this process of risk analysis and risk management not only to satisfy the specific standards and implementation specifications of the Security Rule, but also when implementing security measures to reduce the particular risks and vulnerabilities to ePHI throughout an organization’s entire enterprise, identified as a result of an accurate and thorough risk analysis, to a reasonable and appropriate level. For example, although there is a not a Security Rule standard or implementation specification that specifically and expressly requires entities to update the firmware of network devices, entities, as part of their risk analysis and risk management process, should, as appropriate, identify and address the risks to ePHI of using networks devices running on obsolete firmware, especially when firmware updates are available to remediate known security vulnerabilities. [Emphasis Added].

Discovering outdated firmware would be next to impossible without Scanning. Further, you are likely to be found in “willful neglect” of the Rules, where penalties are assessed at $50,000.00 per violation, if you are not Scanning on a timetable that is “reasonable and appropriate.” This is not your Daddy’s HIPAA anymore! The Persons that are attempting to harm your patient’s PHI and your reputation are growing by orders of magnitude. HHS’ warnings post WannaCry have be ratcheted up because the unequivocal message from WannaCry was clear—we know where you live and we’re coming for you!

[1] See https://en.wikipedia.org/wiki/WannaCry_ransomware_attack.

[2] See https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf.