OCR Cybersecurity Newsletter Offers Guidance Against Common Cyberattacks

The OCR Cybersecurity Newsletter for March of 2022 discusses preventative steps covered entities and business associates can take to protect against some of the common cyberattacks driving these numbers. Here are some newsletter highlights.

OCR Cybersecurity Newsletter: Because It Still Works

As the newsletter notes, most cyberattacks can be substantially mitigated or prevented altogether. This is if covered entities and business associates implement Security Rule requirements to address the most common cyberattacks. 

OCR singles out three common cyberattacks that can be mitigated or prevented:

• Phishing
• Exploitation of known vulnerabilities
• Taking advantage of weak authentication protocols

Using any of these methods, an attacker can encrypt a provider’s or business associate’s PHI or ePHI. From there, the attacker can hold the information for ransom, dangle the threat of public release to blackmail someone, or use the information to commit identity theft. Attacks on PHI also can disrupt the provision of healthcare, as covered entities and businesses find their operations and resource flows slowed or stopped because of a cyberattack.

OCR Cybersecurity Newsletter: Phishing – Avoiding the Bottom Feeders

Phishing has been a favored cyberattacker tool since the early days of the Internet. The word “phishing” was created around 1996 by hackers who were stealing account and password information from Internet Service Provider (ISP) America Online users. While America Online, dial-up modems, and installation CDs have attained relic status, basic phishing techniques have remained the same. A cyberattacker sends an email to the intended victim; the message informs the victim that their email account has been compromised and that the user needs to respond immediately by clicking on a provided link. Clicking on the link sets the attack in motion.

Over the years, variations on this basic technique have developed as new methods of cyber-communication have been introduced. 

These variations have colorful names that belie their dangerousness.

Spear Phishing

Spear phishing is a type of phishing targeted and personalized to a specific individual, group, or organization, such as a hospital or hospital chain. Casinos often refer to high-wealth, high-rollers who keep coming back to the table as “whales” (Remember the first rule of gambling: The House Always Wins). The cyber-world has its own phishing version of such creatures, called whale phishing. Whale phishing typically targets CEOs, CFOS, and other top company executives. The cyberattacker attempts to lure in this larger prey by making an outsized threat. A whaling email might, for example, state that a company is facing dire legal consequences, which can only be abated by clicking on the link in the email. The organization can be financially harpooned if the whale takes the bait.

Smishing

Smishing is a type of attack that affects smartphones. This attack uses short messaging service (SMS), or text, to deliver a message to a cell phone. The text contains a clickable link that, when clicked, will launch an attack.

Vishing

In yet a different type of phishing technique called vishing, the attacker starts their handiwork almost old-fashionedly, by calling the victim. The attacker claims to be a representative from Microsoft, Apple, or another giant tech company, and states that there is a virus or malware on the victim’s computer. “If you give me your credit card number, I can install the latest antimalware software and make your problem go away,” the attacker says. Through this voice call (“voice” begins with “v,” hence the name “vishing”), the attacker gets the credit card information. In return, the user is likely left with malware on their computer. 

Preventing and Responding to Phishing

With so much phishing going on, as the OCR cybersecurity newsletter notes, it is of scant surprise that 42% of ransomware attacks in Q2 2021 involved phishing. 

Under the HIPAA Security Rule, covered entities and business associates should implement the following Security Rule measures to prevent and respond to phishing:

• As part of a comprehensive security awareness and training program given to all staff (including management), train workforce members to recognize phishing attacks. The training program should educate staff on new and current cybersecurity threats and how to recognize them.
• Implement a protocol on what to do when such attacks or suspected attacks take place (i.e., “report suspicious emails to appropriate IT staff”).
• Send periodic security reminders, such as by sending simulated phishing emails to workforce members, to gauge the effectiveness of the security awareness and training program.
• Offer additional, targeted training where necessary. 
• Anti-phishing technologies. These technologies can examine and verify that incoming emails do not originate from known malicious sites. If the technology identifies an email or attachment as a threat, the email can be blocked, or the attachment can be removed, thwarting the attack. 
• Implement policies and procedures to protect ePHI from improper alteration or destruction.
• Assess and reduce risks and vulnerabilities to the confidentiality, availability, and integrity of ePHI – that is, perform risk analysis and risk management.

OCR Cybersecurity Newsletter: Exploiting Known Vulnerabilities

By exploiting publicly known, existing vulnerabilities, hackers can infiltrate a network and gain access to ePHI. It’s easy to instill fear in a regulated entity by telling it to “stop exploitation of known vulnerabilities.” More helpful is to reveal what these known vulnerabilities are in the first place. 

The National Institute of Standards and Technology (NIST) maintains a National Vulnerability Database (NVD). The NVD identifies and provides information about known vulnerabilities. 

Exploitable vulnerabilities exist throughout an entity’s infrastructure, including in:

• Servers
• Desktops
• Mobile device operating systems
• Applications
• Routers
• Firewalls

The most common method of mitigating known vulnerabilities is to apply vendor patches, or upgrade to a newer version. Sometimes, a patch or upgrade may not be available. In such instances, vendors frequently suggest steps healthcare organizations may take to mitigate a newly discovered vulnerability. Such steps might include modifying configuration files, or disabling services that have become affected.

Exploitation of vulnerabilities can be a significant issue with older applications and devices, for which patches or upgrades are no longer available. Suppose an obsolete, unsupported system cannot be upgraded or replaced. In that case, organizations should implement additional safeguards and enhance existing ones to mitigate known vulnerabilities until upgrade or replacement occurs.

The Security Rule directs that known and potential vulnerabilities be assessed by conducting a security risk analysis. An assessment (or analysis; the terms are used interchangeably) that is performed accurately and thoroughly will reveal vulnerabilities that are both technical and non-technical. Technical vulnerabilities include incorrectly implemented or configured information systems. Non-technical vulnerabilities, such as ineffective or non-existent policies and procedures, can lead to physical damage such as tampering, theft, snooping, and other damage to electronic information systems.

The Security Rule requires that identified vulnerabilities be assessed and prioritized, as part of a risk management/mitigation process. Upon prioritization, organizations should take appropriate measures to mitigate or eliminate the vulnerabilities. Examples of mitigation may include decommissioning equipment, applying patches, or hardening systems.

OCR Cybersecurity Newsletter: Weak Cybersecurity Practices and Controls

Weak authentication requirements, including weak password rules and single-factor authentication, can give an attacker an easy way in. These weak controls are the proverbial gift that keeps on giving. Once an attacker has found a way in, the attacker can then access privileged accounts, deploy malware, and remove data – at a potentially great cost and embarrassment to the organization.

The Security Rule requires entities to take authentication measures. These measures require verification that persons or entities seeking access to ePHI are in fact who they claim to be. Upon conducting the risk analysis, entities should be able to determine whether heightened risks are present with regard to authentication. Many such risks are everywhere you look. For example, remote workers’ access to systems and devices from homes, hotels, and other locations can present enormous risks of PHI manipulation.

Another weak cybersecurity practice is having inappropriate access controls. Some entities may conclude (wrongly) that a few privileged individuals (i.e., systems administrators, Privacy Officials, Security Officials) are entitled to a level of access that is incompatible with the concept of role-based access. Role-based access controls, which are controls that ensure that individuals who have a need to access PHI be granted access commensurate with that need (and no more), are required under the Security Rule. Failure to adhere to such access controls gives individuals the opportunity to delete ePHI, alter or delete hardware or software configurations, or to take other actions that compromise the confidentiality, integrity, and availability of PHI. 

The OCR Cybersecurity Newsletter is guidance in digestible form, straight from the horse’s mouth. HIPAA-beholden entities should check it out – sooner rather than later.