[author: Jane Anderson]

Report on Patient Privacy 24, no. 4 (April, 2024)

◆ The Cybersecurity and Infrastructure Agency (CISA) is seeking comment on a proposed rule to implement reporting requirements for critical infrastructure entities, including health care entities, on cyberattacks and ransomware payments. Congress mandated the rule in the Cyber Incident Reporting for Critical Infrastructure Act of 2022. It would require entities to report “substantial” cyber incidents to CISA within 72 hours and ransom payments within 24 hours. CISA defines “substantial” cyber incidents to include those that have any of these characteristics: (1) a loss of confidentiality, integrity or availability of an entity’s information system or network; (2) a serious impact on the safety and resiliency of an entity’s operational systems and processes; (3) a disruption of an entity’s ability to engage in business or industrial operations or deliver goods and services; or (4) unauthorized access to an entity’s information system or network, any nonpublic information contained in the information system or network that was facilitated through or caused by either a compromised of a cloud service provider, managed service provider, other third-party data hosting provider or a supply chain compromise. CISA said the rule would enhance its ability to spot trends in cyberattacks, help victims and quickly share information with other entities. The deadline for comments is June 3.[1]

◆ Indiana Attorney General Todd Rokita has sued home health care provider Apria Healthcare LLC for violating HIPAA as a result of two data breaches two years apart that impacted 1.8 million people, including 42,000 Indiana residents. Apria provides home health care equipment and related services to more than 2 million patients across 270 locations. According to Rokita’s lawsuit, bad actors first gained access to Apria’s environment in April 2019 and gained access a second time in August 2021. The FBI notified Apria on Sept. 1, 2021, that an unauthorized third party likely was able to access its system. “The intruder accessed millions of documents containing protected health information and other personal information,” Rokita said. “Further, the intruder accessed several Apria employee email accounts, including Apria’s CEO.” At the time of the attack, Apria did not have two-factor or multi-factor authentication in place, the lawsuit said. According to Rokita, the breach involved Social Security numbers, birth certificates, credit and debit card information, medical histories, addresses and other information. In addition, Rokita said Apria failed to notify patients until May 2023, even though Apria’s parent company—Virginia-based Owens & Minor— knew about the problem when it purchased Apria in March 2022.[2]

◆ Cancer treatment provider City of Hope has disclosed a 2023 data breach that involved records from more than 827,000 patients. In a data breach notice posted on its website, City of Hope said it became aware of suspicious activity “on a subset of its systems and immediately instituted mitigation measures to minimize any disruption to its operations.” A cybersecurity firm investigating determined that an unauthorized third party had accessed some systems and obtained copies of files between Sept. 19 and Oct. 12, 2023, City of Hope said. “While the investigation remains ongoing, the impacted personal information identified thus far varies by individual but may have included name, contact information (e.g., email address, phone number), date of birth, social security number, driver’s license or other government identification, financial details (e.g., bank account number and/or credit card details), health insurance information, medical records and information about medical history and/or associated conditions, and/or unique identifiers to associate individuals with City of Hope (e.g., medical record number),” City of Hope said in its data breach notice. City of Hope is providing two years’ worth of identity monitoring for individuals whose information may have been involved.[3]

◆ The co-chair of the Senate Cybersecurity Caucus has introduced legislation that would allow for advance and accelerated payments to health care providers in the event of a cyber incident, as long as those providers and their vendors meet minimum cybersecurity standards. The proposed legislation from Sen. Mark Warner, D-Va., followed the Change Healthcare ransomware attack, which paralyzed billing services for providers nationwide. “I’ve been sounding the alarm about cybersecurity in the health care sector for some time,” Warner said. “It was only a matter of time before we saw a major attack that disrupted the ability to care for patients nationwide. The recent hack of Change Healthcare is a reminder that the entire health care industry is vulnerable and needs to step up its game. This legislation would provide some important financial incentives for providers and vendors to do so.” The legislation would modify existing Medicare advances and accelerated payment programs to provide payments to health care providers affected by cyber incidents if they meet minimum standards established by HHS. If a provider’s intermediary was the target of the incident, the intermediary also must meet minimum cybersecurity standards for the provider to receive payments.[4]

◆ An ongoing health care cybersecurity benchmarking study found overall health care provider and payer cybersecurity preparedness was at a similar level compared to levels reported in 2023, but repeat respondents reported increased coverage across the measurements. The report—a collaboration between cybersecurity firm Censinet, KLAS Research, the American Hospital Association, Health-ISAC and the public-private healthcare and Public Health Sector Coordinating Councils—looked at data from 58 respondents, including 54 payer or provider organizations and four health care vendors. The report looked specifically at coverage of the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and the Health Industry Cybersecurity Practices (HICP). “Average coverage across the five NIST CSF functions shows that organizations are generally more reactive than proactive in their approach to cybersecurity,” the report said. However, the 25 organizations that also participated in the 2023 benchmarking study “on average have seen improved coverage in all NIST CSF functions as well as HICP best practices, and their average NIST CSF and HICP coverage is higher than that of other participating provider and payer organizations,” the report said. Overall, the NIST CSF framework category Supply Chain Risk Management remains the weakest category, the study found, adding that “the lack of adoption of this category is particularly alarming given that the health care industry is more likely than other industries to be victimized by third-party data breaches.” The study also found that higher cybersecurity preparedness and resiliency are strongly correlated with lower insurance premium growth.[5]

◆ A report from software firm Code42 found a 28% average increase in insider-driven cybersecurity events since 2021. The report, which was based on a survey of more than 700 security professionals across industries, also found that 85% of those professionals expect data loss from insider events to increase in the next 12 months, driven in part by the growth in artificial intelligence. “In particular, the data sets required to fuel machine learning models represent significant risks as often well-meaning insiders push that data outside organizations to train the models,” the report said. “This is a whole new threat for which security teams are now responsible.” The average insider incident cost is $15 million, the report found.[6]

◆ Bad actors are increasingly shifting to malicious links from attachments in phishing emails, signaling a change in attacker strategies, according to the latest threat analysis from email security firm Mimecast. In its fourth quarter Global Threat Intelligence Report, Mimecast also found that cybercriminals are leveraging generative artificial intelligence for more convincing phishing lures and are using QR codes to obfuscate links, posing an additional challenge for users. Small and medium-sized firms encountered more than twice the number of threats as those at large companies, the report said. This occurs because a greater share of employees at smaller and medium-sized entities are in critical roles and because those entities rely on credential-based cloud services for much of their operations, and attackers are more focused on credential theft, the report said. “Attackers are increasingly using brands to fool users into trusting spam and phishing attacks, often marrying the brand with a QR code or a link to a legitimate file service,” the report said. “Increased geopolitical tensions have contributed to a surge in cyberattacks.” Still, although ransomware and data breach incidents increased in 2023, “companies are resisting extortion attacks,” the report said. “Ransom payment rates have plummeted, hitting a low of 34% in Q2 2023, down from 85% at the beginning of 2019,” although the rate ticked up slightly in late 2023.[7]

1 Cybersecurity & Infrastructure Security Agency, “CISA Marks Important Milestone in Addressing Cyber Incidents; Seeks Input on CIRCIA Notice of Proposed Rulemaking,” March 27, 2024, https://bit.ly/3TLCZ4S.

2 State of Indiana, “Attorney General Todd Rokita continues fight for patient privacy, files suit against Apria Healthcare,” February 29, 2024, https://bit.ly/3U3nN4r.

3 City of Hope, “Notice of Data Security Incident,” April 2, 2024, https://bit.ly/43LuiMy.

4 Mark R. Warner, US Senator from the Commonwealth of Virginia, “Responding to Change Healthcare, Warner Introduces Legislation to Protect Providers in the Event of Future Hacks, Requiring Minimum Cybersecurity Standards,” news release, March 22, 2024, https://bit.ly/49s3hPs.

5 Censinet, “2024 Healthcare Cybersecurity Benchmarking Study Executive Summary,” white paper, accessed April 5, 2024, https://bit.ly/3vJPZjt.

6 Code42, Annual Data Exposure Report 2024, accessed April 5, 2024, https://bit.ly/3vxWFRM.

7 Mimecast, “Global Threat Intelligence Report: October-December 2023,” October-December 2023, https://bit.ly/3xxt5Mx.

[View source.]