New Proposed Health Cybersecurity Rule: What Physicians Should Know

Alicia Ault

MedScape.com

Originally posted 10 Jan 25

A new federal rule could force hospitals and doctors’ groups to boost health cybersecurity measures to better protect patients’ health information and prevent ransomware attacks. Some of the proposed requirements could be expensive for healthcare providers.

The proposed rule, issued by the US Department of Health and Human Services (HHS) and published on January 6 in the Federal Register, marks the first time in a decade that the federal government has updated regulations governing the security of private health information (PHI) that’s kept or shared online. Comments on the rule are due on March 6.

Because the risks for cyberattacks have increased exponentially, “there is a greater need to invest than ever before in both people and technologies to secure patient information,” Adam Greene, an attorney at Davis Wright Tremaine in Washington, DC, who advises healthcare clients on cybersecurity, told Medscape Medical News.

Bad actors continue to evolve and are often far ahead of their targets, added Mark Fox, privacy and research compliance officer for the American College of Cardiology.

In the proposed rule, HHS noted that breaches have risen by more than 50% since 2020. Damages from health data breaches are more expensive than in any other sector, averaging $10 million per incident, said HHS.

The information is here.

Here are some thoughts:

The article outlines a newly proposed cybersecurity rule aimed at strengthening the protection of healthcare data and systems. This rule is particularly relevant to physicians and healthcare organizations, as it addresses the growing threat of cyberattacks in the healthcare sector. The proposed regulation emphasizes the need for enhanced cybersecurity measures, such as implementing stronger protocols, conducting regular risk assessments, and ensuring compliance with updated standards. For physicians, this means adapting to new requirements that may require additional resources, training, and investment in cybersecurity infrastructure. The rule also highlights the critical importance of safeguarding patient information, as breaches can lead to severe consequences, including identity theft, financial loss, and compromised patient care. Beyond data protection, the rule aims to prevent disruptions to healthcare operations, such as delayed treatments or system shutdowns, which can arise from cyber incidents.

However, while the rule is a necessary step to address vulnerabilities, it may pose challenges for smaller practices or resource-limited healthcare organizations. Compliance could require significant financial and operational adjustments, potentially creating a burden for some providers. Despite these challenges, the proposed rule reflects a broader trend toward stricter cybersecurity regulations across industries, particularly in sectors like healthcare that handle highly sensitive information. It underscores the need for proactive measures to address evolving cyber threats and ensure the long-term security and reliability of healthcare systems. Collaboration between healthcare organizations, cybersecurity experts, and regulatory bodies will be essential to successfully implement these measures and share best practices. Ultimately, while the transition may be demanding, the long-term benefits—such as reduced risk of data breaches, enhanced patient trust, and uninterrupted healthcare services—are likely to outweigh the initial costs.

The Dark Side Of AI: How Deepfakes And Disinformation Are Becoming A Billion-Dollar Business Risk

Bernard Marr

Forbes.com

Originally posted 6 Nov 24

Every week, I talk to business leaders who believe they're prepared for AI disruption. But when I ask them about their defense strategy against AI-generated deepfakes and disinformation, I'm usually met with blank stares.

The truth is, we've entered an era where a single fake video or manipulated image can wipe millions off a company's market value in minutes. While we've all heard about the societal implications of AI-generated fakery, the specific risks to businesses are both more immediate and more devastating than many realize.

The New Face Of Financial Fraud

Picture this: A convincing deepfake video shows your CEO announcing a major product recall that never happened, or AI-generated images suggest your headquarters is on fire when it isn't. It sounds like science fiction, but it's already happening. In 2023, a single fake image of smoke rising from a building triggered a panic-driven stock market sell-off, demonstrating how quickly artificial content can impact real-world financials.

The threat is particularly acute during sensitive periods like public offerings or mergers and acquisitions, as noted by PwC. During these critical junctures, even a small piece of manufactured misinformation can have outsized consequences.

The article is here.

Here are some thoughts:

The article discusses the dangers of deepfakes and AI-generated disinformation, warning that these technologies can be used for financial fraud and reputational damage. The author argues that businesses must be proactive in developing defense strategies, including educating employees, implementing cybersecurity solutions, and being transparent with customers. The author suggests that companies must adopt a new culture of vigilance to combat these threats and protect their interests in the increasingly blurred world of real and artificial content.

Pennsylvania health system agrees to $65 million settlement after hackers leaked nude photos of cancer patients

Sean Lyngass

CNN.com

Originally posted 23 Sept 24

A Pennsylvania health care system this month agreed to pay $65 million to victims of a February 2023 ransomware attack after hackers posted nude photos of cancer patients online, according to the victims’ lawyers.

It’s the largest settlement of its kind in terms of per-patient compensation for victims of a cyberattack, according to Saltz Mongeluzzi Bendesky, a law firm that for the plaintiffs.

The settlement, which is subject to approval by a judge, is a warning to other big US health care providers that the most sensitive patient records they hold are of enormous value to both hackers and the patients themselves, health care cyber experts told CNN. Eighty percent of the $65-million settlement is set aside for victims whose nude photos were published online.

The settlement “shifts the legal, insurance and adversarial ecosystem,” said Carter Groome, chief executive of cybersecurity firm First Health Advisory. “If you’re protecting health data as a crown jewel — as you should be — images or photos are going to need another level of compartmentalized protection.”

It’s a potentially continuous cycle where hackers increasingly seek out the most sensitive patient data to steal, and health care providers move to settle claims out of courts to avoid “ongoing reputational harm,” Groome told CNN.

According to the lawsuit, a cybercriminal gang stole nude photos of cancer patients last year from Lehigh Valley Health Network, which comprises 15 hospitals and health centers in eastern Pennsylvania. The hackers demanded a ransom payment and when Lehigh refused to pay, they leaked the photos online.

The lawsuit, filed on behalf of a Pennsylvania woman and others whose nude photos were posted online, said that Lehigh Valley Health Network needed to be held accountable “for the embarrassment and humiliation” it had caused plaintiffs.

“Patient, physician, and staff privacy is among our top priorities, and we continue to enhance our defenses to prevent incidents in the future,” Lehigh Valley Health Network said in a statement to CNN on Monday.

The info is here.

Here are some thoughts:

The ransomware attack on Lehigh Valley Health Network raises significant ethical and healthcare concerns. The exposure of nude photos of cancer patients is a profound breach of trust and privacy, causing significant emotional distress and psychological harm. Healthcare providers have a duty of care to protect patient data and must be held accountable for their failure to do so. The decision to pay a ransom is ethically complex, as it can incentivize further attacks and potentially jeopardize patient safety. The frequency and severity of ransomware attacks highlight the urgent need for stronger cybersecurity measures in the healthcare sector. By addressing these ethical and practical considerations, healthcare organizations can better safeguard patient information and ensure the delivery of high-quality care.

Medical-Targeted Ransomware Is Breaking Records After Change Healthcare’s $22M Payout

Andy Greenberg

wired.com

Originally posted 12 June 24

When Change Healthcare paid $22 million in March to a ransomware gang that had crippled the company along with hundreds of hospitals, medical practices, and pharmacies across the US, the cybersecurity industry warned that Change's extortion payment would only fuel a vicious cycle: Rewarding hackers who had carried out a ruthless act of sabotage against the US health care system nationwide with one of the largest ransomware payments in history, it seemed, was bound to incentivize a new wave of attacks on similarly sensitive victims. Now that wave has arrived.

In April, cybersecurity firm Recorded Future tracked 44 cases of cybercriminal groups targeting health care organizations with ransomware attacks, stealing their data, encrypting their systems, and demanding payments from the companies while holding their networks hostage. That's more health care victims of ransomware than in any month Recorded Future has seen in its four years of collecting that data, says Allan Liska, a threat intelligence analyst at the company. Comparing that number to the 30 incidents in March, it's also the second biggest month-to-month jump in incidents the company has ever tracked.

While Liska notes that he can't be sure of the reason for that spike, he argues it's unlikely to be a coincidence that it follows in the wake of Change Healthcare's eight-figure payout to the hacker group known as AlphV or BlackCat that was tormenting the company.

The info is here.

Here are some thoughts:

The recent record-breaking ransom payment by a healthcare giant raises a troubling question: are profits being prioritized over patient well-being? This approach creates an ethical dilemma and poses serious psychological and public health risks.

Imagine needing urgent medical attention, only to find your records inaccessible due to a cyberattack. Ransomware disrupts services, causing immense anxiety for patients. Disrupted access to data can delay diagnoses, hinder treatment, and even threaten public health initiatives. Furthermore, these attacks essentially blackmail healthcare providers, potentially eroding trust in the medical system.

To combat this growing threat, we need a multi-pronged approach. Healthcare institutions must prioritize robust cybersecurity. International law enforcement collaboration is crucial to hold cybercriminals accountable. Finally, open communication with patients during and after an attack is essential to rebuild trust and minimize stress. By working together, we can build a more resilient healthcare system that safeguards patient data and well-being.

HHS issues voluntary guidelines amid rise of cyberattacks

Samantha Liss
www.healthcaredive.com
Originally published January 2, 2019

Dive Brief:

• To combat security threats in the health sector, HHS issued a voluminous report that details ways small, local clinics and large hospital systems alike can reduce their cybersecurity risks. The guidelines are voluntary, so providers will not be required to adopt the practices identified in the report. 

• The four-volume report is the culmination of work by a task force, convened in May 2017, that worked to identify the five most common threats in the industry and 10 ways to prepare against those threats.  

• The five most common threats are email phishing attacks, ransomware attacks, loss or theft of equipment or data, accidental or intentional data loss by an insider and attacks against connected medical devices.

The info is here.

A more comprehensive source can be found here.

Anticipating artificial intelligence

Editorial Board
Nature
Originally posted April 26, 2016

Here is an excerpt:

So, what are the risks? Machines and robots that outperform humans across the board could self-improve beyond our control — and their interests might not align with ours. This extreme scenario, which cannot be discounted, is what captures most popular attention. But it is misleading to dismiss all concerns as worried about this.

There are more immediate risks, even with narrow aspects of AI that can already perform some tasks better than humans can. Few foresaw that the Internet and other technologies would open the way for mass, and often indiscriminate, surveillance by intelligence and law-enforcement agencies, threatening principles of privacy and the right to dissent. AI could make such surveillance more widespread and more powerful.

Then there are cybersecurity threats to smart cities, infrastructure and industries that become overdependent on AI — and the all too clear threat that drones and other autonomous offensive weapons systems will allow machines to make lethal decisions alone.

The article is here.

The experts' step-by-step guide to cyber security

By Kitty Dann
The Guardian
Originally published April 2 2015

Where does cyber security fall on your to-do list? If it’s not a priority, it should be because 60% of small businesses suffered a breach in the year leading up to October 2014. The worst of these breaches disrupted operations for an average of seven to 10 days.

We recently held a live Q&A on the topic, with a panel of experts on hand to answer your questions. From risk assessment to keeping your business safe on a budget, here are some of their suggestions:

The entire article is here.