Free EHR, EHR and Healthcare IT Newsletter Want to receive the latest updates on EHR, EMR and Healthcare IT news sent straight to your email? Get all the latest EHR News for FREE!

EHNAC Executive Director Addresses Recent Cyberattacks and the Implications to Healthcare

FARMINGTON, Conn. – October 31, 2017 – The Equifax data security breach that exposed the personal information of 143 million Americans was just one story in a year full of hackers making headlines as they continue to expose the security vulnerabilities of some of our nation’s most trusted financial and healthcare institutions. With the ramifications of these cyberattacks weighing heavily on the minds of many healthcare industry stakeholders, Lee Barrett, executive director of the Electronic Healthcare Network Accreditation Commission (EHNAC) and a member of the HHS Cybersecurity Task Force, tackled several questions to better help the industry both understand and strengthen its defense against these attacks.

Q. What can the healthcare industry learn from the Equifax breach and other cyberattacks like the ones that affected the US Securities and Exchange Commission and the Big Four Accounting Firm Deloitte?

Barrett: The Equifax breach impacted more than 143M Americans as a trove of information was breached. It’s no surprise that 2 out of 3 Americans are affected by a breach or cyberattack. That’s an increase from 1 and 3 Americans in years past. In 2017 alone, the top three health data breaches have impacted 1.5 million people. The Office for Civil Rights (OCR) has reported a record number of HIPAA settlements and fines this year as well. These headline-making data breaches are a vivid reminder that it’s clearly not a matter of if a breach can happen but when.

Hospitals and healthcare systems now need to keep their focus on strategies and tactics to mitigate risk and ensure business continuity once a cyberattack occurs. Today’s cybercriminal has evolved into a dangerous entity, capable of bringing an organization’s enterprise and  business operation to a halt, compounded by long-term financial and reputational hardships – the WannaCry and Petya ransomware attacks from earlier this year are clear examples of the impact this can have on healthcare. On average, it costs a healthcare organization more than $2.2 million and its business associates more than $1 million for a data breach. Is it worth risking that by taking an “it-can’t-happen-to-us” attitude?

Q. What can healthcare organizations do to adjust to the continuously shifting cybercrime landscape and reduce their risks of becoming another statistic on the U.S. Department of Health & Human Services (HHS) website due to breach or attack?

Barrett: Protecting patient data should be a top priority for all healthcare stakeholders. Every organization handling protected health information (PHI) needs to conduct a risk assessment and asset inventory of their organization and map the data flow within their enterprise in order to determine their risk in the event of a breach or cyberattack. Hospitals and healthcare systems need to build security frameworks and risk sharing into their infrastructure by implementing risk-mitigation strategies, preparedness planning, as well as adhering to the regulations created by the Office of the National Coordinator for Health IT (ONC) and the National Institute for Standards and Technology (NIST).

But it’s not just the security of internal systems that are of concern in this increasingly interconnected healthcare ecosystem. The security and IT risk management protocols of business associates and other vendors and partners must also be ready for the potential negative consequences of an incident, breach or attack as their risk mitigation preparedness can impact a health system’s operations. The failure to do so can bring devastating consequences. At a bare minimum, a system should have sufficient rigor and meet industry standards for adhering to HIPAA requirements, mitigating cybersecurity risks, and assuring that all portal and exchange connection points are secured.

Q. As we look ahead to 2018, what areas should healthcare leaders take a hard look at in terms of enhancing their cybersecurity frameworks?

Barrett: The Internet of Things (IoT) has undoubtedly helped healthcare organizations deliver high-quality, more patient-centric and affordable care. However, by introducing these various internet-connected devices into a healthcare environment, you’ve exponentially increased the level of connection points, which in turn raises the level of exposure and heightens risk of compromise or breach. As a result, hospitals and healthcare systems need to evaluate their medical devices and BYOD protocols within their security frameworks as they present a whole set of data security challenges. Cybercriminals can strike when hospital employees, through their cell phones or tablets, connect into an EMR system, informatics or data exchange, unintentionally or intentionally infecting the hospital’s enterprise infrastructure with malware. In fact, more than 1M healthcare apps are developed worldwide on an annual basis. Unfortunately, only a small percentage of those new applications go through a security type review before being launched to the consumer or other stakeholder.

Finally, think of the impact a cybercriminal could have if they were to control medical devices. Last year, Johnson & Johnson warned patients about a potential hacking risk to their insulin pumps. And just recently, we learned of a security risk in a Boston Scientific medical device  that communicates with implanted pacemakers and defibrillators. These are real instances of medical devices being compromised by the ever-evolving cybercriminal. Our industry needs to make protecting these devices and the patients they serve a priority in 2018. The Federal Drug Administration (FDA) has recently developed some medical device guidelines which are a start but we still have a significant delta to continue to develop further policies, procedures, controls and industry guidance.

About EHNAC

The Electronic Healthcare Network Accreditation Commission (EHNAC) is a voluntary, self-governing standards development organization (SDO) established to develop standard criteria and accredit organizations that electronically exchange healthcare data. These entities include accountable care organizations, data registries, electronic health networks, EPCS vendors, e-prescribing solution providers, financial services firms, health information exchanges, health information service providers, management service organizations, medical billers, outsourced service providers, payers, practice management system vendors and third-party administrators. The Commission is an authorized HITRUST CSF Assessor, making it the only organization with the ability to provide both EHNAC accreditation and HITRUST CSF certification.

EHNAC was founded in 1993 and is a tax-exempt 501(c)(6) nonprofit organization. Guided by peer evaluation, the EHNAC accreditation process promotes quality service, innovation, cooperation and open competition in healthcare. To learn more, visit www.ehnac.org, contact info@ehnac.org, or follow us on TwitterLinkedIn and YouTube.

 

October 31, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Bayshore Networks Raises $6.6 Million From Trident Capital Cybersecurity and Current Angel Investors

Provides Cloud-Based Software That Addresses Security Gaps in the Industrial IoT; Impressed Investors With Its Growing Base of F-100 Customers and Strategic Alliances; Overall Revenues for IoT Security Products Will Exceed $20B by 2020, According to IDC

BETHESDA, MD–(Marketwired – May 10, 2016) – Bayshore Networks, the cybersecurity leader for the Industrial Internet of Things (IoT), today announced that it has raised $6.6 million in Series A funding from Trident Capital Cybersecurity and its existing angel investors. Alberto Yépez, managing director of Trident Capital Cybersecurity, will join the company’s board. Will Lin, vice president of Trident Capital Cybersecurity, will be a board observer.

Trident Capital Cybersecurity watched Bayshore Networks’s growth success for nearly two years as it achieved its key milestones. “We chose to lead the Series A because Bayshore has been recognized as an innovator and early leader in an emerging cybersecurity segment that is largely untapped to date,” said Alberto Yépez, managing director of Trident Capital Cybersecurity. “We are impressed with the company’s cutting-edge cloud-based technology, the team’s ability to grow its customer base across theFortune 100, and its track record of developing strategic alliances with world-class players.”

Targeting Cybersecurity for the Industrial Internet
While the Internet provides significant business advantages to industrial enterprises, it leaves their operations exposed and vulnerable to the hazards of the Internet. Bayshore was founded in 2012 to help protect industrial enterprises against Internet-based cyber attacks, which are becoming increasingly common.

The term “Industrial Internet” refers to the convergence of networked applications and sensors with industrial machinery and processes. The Industrial Internet of Things (IoT) represents new business opportunities for enterprises in industries such as manufacturing, critical infrastructure, smart cities and connected cars.

Bayshore’s cloud-based software, called the Bayshore IT/OT Gateway, provides IT departments with visibility into OT (Operational Technology) infrastructure, networks, applications, machines and workers. These OT networks are undergoing transformation and require services traditionally available for IT networks, such as secure remote access and analytics. Bayshore provides immediate value by preventing OT process disruptions and enhancing operational efficiency and business continuity.

The software is distinguished by extremely granular inspection and filtering of network flows — all the way down to machine sensor values — and the ability to provide security enforcement and application segmentation and isolation via flexible, rapidly deployed policies. Bayshore’s policy engine is capable of supporting common industrial protocols and quickly adapting to new and proprietary protocols.

These capabilities are built from the ground up for Industrial Internet and provide Bayshore’s F-100 customers with future-proof, cloud-based solutions that are complementary to legacy hardware-based industrial firewalls. Designed for IT perimeter security, firewalls look for IP addresses and ports, which means they block attacks according to standard Internet parameters. Because industrial cyber attacks are typically based on granular machine instructions that alter sensor values, Bayshore’s unique technology is well positioned to detect industrial attacks that are often overlooked by other security technologies.

If the Industrial Internet is adequately protected, General Electric estimates it has the potential to add up to $15 trillion in global Gross Domestic Product (GDP) over the next 20 years.(1) IDC believes that revenues for IoT security products, which totaled $9.4 billion worldwide in 2015, will exceed $20 billion by 2020, a compound annual growth rate of 16.5 percent.(2)

“Bayshore intends to capitalize on the rapid expansion of the market by continuing to focus on solving our customers’ problems,” said Mike Dager, the CEO of Bayshore. “That means providing protection of their industrial operations and workers. Because our software supports all popular industrial protocols and easily adapts to proprietary protocols, we will continue to target customers across a broad spectrum of industrial verticals.”

“The protection of industrial control systems from cyber attacks may be one of the most urgent areas of cyber security in the world today,” said Dr. Edward G. Amoroso, former SVP and CSO of AT&T, and now CEO of TAG Cyber LLC. “Bayshore Networks offers a range of effective and scalable software and virtual solutions to accomplish this important objective.”

Bayshore will use some of its venture capital proceeds to complete the relocation of its headquarters from New York City to Bethesda, Maryland, to access the rich cybersecurity expertise in metropolitan Washington, D.C. It will also invest the capital in R&D and in the expansion of its engineering and sales teams.

About Bayshore Networks, Inc.
Bayshore Networks®, named a Gartner Cool Vendor and SINET 16 Innovator, is the cybersecurity leader for the industrial Internet of Things. The Company’s award-winning, patented Bayshore IT/OT Gateway™ software unlocks the power of the Industrial Internet by enabling industrial applications and data. It provides Fortune 1000s with unprecedented visibility into their Operational Technologies, safely and securely protecting industrial applications, networks, machines and workers. The software platform deploys from the cloud, as a virtual machine, or on-prem as a hardware appliance. Bayshore has strategic alliances with leading technology companies including AT&T, BAE Systems, Cisco Systems, and VMware. For more information, visit www.bayshorenetworks.com.

About Trident Capital Cybersecurity
Trident Capital Cybersecurity is a venture capital firm that invests in early-stage companies leveraging emerging technologies in cybersecurity. The firm is a spinout of Trident Capital, which in 1998 became one of the pioneers of cybersecurity venture capital investing… Managing Directors Alberto Yépez, Don Dixon and Sean Cunningham jointly lead the cybersecurity investment team and sit on the boards of Airtight Networks, AlienVault, Blue Cat, Hytrust, IronNet Cybersecurity, Mocana, and Qualys. Renowned as the venture capital firm with the most valuable network of cybersecurity relationships, Trident Capital Cybersecurity also relies on input from a 40-person Cybersecurity Advisory Council, consisting of industry CEOs, customers and former top-level government leaders. Bayshore Networks is the firm’s third investment. Earlier investments were made in IronNet Cybersecurity and Survela. For more information, visitwww.tridentcybersecurity.com.

(1) “Pushing the Boundaries of Minds and Machines,” Peter C. Evans and Marco Annunziata, General Electric, November 2012.
(2) “Worldwide Internet of Things Security Products Forecast 2016-2020: Vendors Identify Practical Solutions,” doc #US40829715, January 2016.

May 10, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Annual DataMotion Survey Reveals Shortfalls in Healthcare Security & Compliance Policy and Major Mobile Vulnerabilities

Email and File Transfer Poll Exposes Widespread Risks Still Taken By Employees;

Lack of Encryption for Email and Mobile Devices; Growth in Policy Development Undermined by Implementation Failure

FLORHAM PARK, N.J. – March 4, 2015 DataMotion™, an experienced email encryption and health information service provider (HISP), today announced results of its third annual survey on corporate email and file transfer habits, revealing significant security risks. While companies in all industries increasingly have put security and compliance policies in place – nearly 90 percent of all respondents affirming that in 2014 (compared to 81 percent in 2013) – the growth is largely from healthcare entities. More than 97 percent from the industry report their organizations as having policies in place, compared to 90.4 percent in 2013. However, challenges remain for healthcare when it comes to implementing these, ranging from low employee comprehension to policy violations. Additionally, a lack of encryption, risks in mobile device usage and low awareness of Direct Secure Messaging (Direct) pose serious issues for the highly regulated industry.

DataMotion polled more than 780 IT and business decision-makers across the U.S. and Canada. In particular, the survey focused on individuals who routinely work with sensitive data and compliance regulations in a variety of industries including healthcare, financial services, education and government.

More than 300 respondents were from healthcare. Key insights/comparisons on the industry include:

  • Security & Compliance Policy: Gains Undermined by Implementation Failure

o    36 percent of healthcare respondents said within their entity, security and compliance policies are at most only moderately enforced.

o    81 percent of all respondents said employees/co-workers either occasionally or routinely violate these policies. While healthcare fared better, nearly 73 percent admitted the same.

o    Key to making policies work is ensuring employee comprehension. When asked if they thought employees fully understood these types of policies, more than a third in healthcare said no, just a slight improvement over those from other industries.

o    When asked about common reasons why policies are violated, 52.7 percent from healthcare said it was because employees were not aware of the policy or that they were in violation. Another 29.1 percent said employees didn’t understand policies. Most troubling,18.2 percent said policies were intentionally violated by employees to get their job done.

o    These healthcare findings raise a “red flag” whereas key to passing an HHS/OCR HIPAA audit is demonstrating implementation of policies.

  • Lack of Email Encryption, Mobile Dangers and the Direct Problem

o    Nearly a third of respondents across other industries reported they don’t have the capability to encrypt email. Healthcare posted only a slightly lower response; nearly a quarter of respondents saying the same.

o    80.8 percent of healthcare respondents affirmed they’re permitted to use mobile devices for email. Yet, of those that permit email on a mobile device and have encryption at their organization, 31.3% cannot send and receive encrypted email from their mobile client.

o    Direct – the secure, email-like protocol developed for healthcare – garnered news coverage throughout 2014. Nearly 42 percent of healthcare respondents said they’re unaware of Direct. And of those who are aware of Direct, 42 percent say their organization is not using the alternative to email encryption.

o    The widespread use of mobile devices in healthcare, coupled with a lack of encryption, creates a “perfect storm” for exposing sensitive data.

  • Business Associates and the Long Tail of HIPAA/HITECH

o    Almost 70 percent of respondents whose organizations have a business relationship with a healthcare entity process their protected health information (PHI). Yet, 28 percent said they were either not a Business Associate (BA) or were unsure if they were.

o    Of those processing a healthcare entity’s PHI, 40.5 percent had either not been asked to sign a Business Associate Agreement or were unsure if they had.

o    HIPAA regulations redefined BAs to include downstream entities. Many not previously impacted by HIPAA/HITECH now fall under its long tail. The above numbers show a lack of awareness, placing BAs and the healthcare entities they represent at risk for non-compliance.

“Though the survey shows year-over-year growth in the number of companies putting security and compliance measures in place, the widespread security risks occurring are of great concern,” said Bob Janacek, chief technology officer at DataMotion. “Particularly at a time when organizations have experienced serious data breaches, it’s essential for companies to have strong policies and ensure employees fully understand and follow these. While healthcare has made gains in policy development, it’s all for naught if implementation fails, especially in such a highly regulated industry.”

“These measures should be across the board, as the data shows a gaping hole in security when it comes to mobile devices – with many companies permitting their use but not taking into account their lack of email encryption capabilities,” added Janacek. “Hopefully, this data will provide organizations with a better understanding of what steps need to be taken to ensure security and compliance.”

To view the healthcare survey report, click here or visit: http://www.datamotion.com/get-datamotion-2014-survey-report-healthcare-secure-email-file-transfer-practices/.

For survey results across all industries, click here or visit: http://www.datamotion.com/get-datamotion-2014-survey-report-secure-email-file-transfer-corporate-practices/.

About DataMotion

Since 1999, DataMotion™ SaaS technology has enabled organizations of all sizes to reduce the cost and complexity of delivering electronic information to employees, customers and partners in a secure and compliant way. Ideal for highly regulated industries, the DataMotion SecureMail portfolio offers easy-to-use encryption solutions for email, file transfer, forms processing and customer-initiated contact. In the healthcare sector, DataMotion is an accredited HISP (health information service provider) of Direct Secure Messaging. TheDataMotion Direct service enables efficient interoperability and sharing of patient data across the continuum of care. DataMotion is privately held and based in Florham Park, N.J. For the latest news and updates, visit www.datamotion.com, follow DataMotion on LinkedIn or Twitter® @datamotion.

March 4, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

HITRUST and (ISC)²® Partner to Develop Professional Standards for Credentialing in Healthcare Information Security

With Healthcare Breaches on the Rise, New Alliance Will Help Fill Market Demand for Qualified Healthcare Security Pros

Palm Harbor, Fla., U.S.A., December 12, 2012 – (ISC)²® (“ISC-squared”), the world’s largest information security professional body and administrators of the CISSP®, and the Health Information Trust Alliance (HITRUST), a non-profit organization responsible for the development, management, education and awareness relating to health information security and the leading organization aiding the healthcare industry in advancing the state of information protection, announced today they have entered into an agreement to meet the growing demand for qualified security professionals who can protect sensitive healthcare information. This relationship was also established to allow both organizations to connect with key stakeholders in the healthcare market that can contribute to building new IT security certification and education programs for healthcare professionals.

According to a recently released HITRUST report, “A Look Back: U.S. Healthcare Data Breach Trends,”the healthcare industry has made very little progress in reducing the number of breaches and that the industry’s susceptibility to certain types of breaches has been largely unchanged since breach data became available from the U.S. Department of Health and Human Services (HHS) and the new Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health (“HITECH”) Act went into effect. The HITRUST analysis concludes that every organization would benefit from better education of professionals and the simpler identification of the necessary skills in professionals available to assist them in their security efforts.  In fact, HHS recommends that smaller organizations seek out certified professionals to help conduct risk assessment and analysis if they lack the capability in-house.

“Through this cooperative relationship, HITRUST and (ISC)² will work together to ensure information security professionals working in healthcare have the required skills to be successful within their organizations and careers,” said Daniel Nutkis, chief executive officer, HITRUST. “Our experience has shown us that organizations with more knowledgeable security professionals manage information risks better and have more advanced information security programs. Healthcare organizations will benefit from having a simpler method to ensure their information protection professionals have the appropriate skills.”

In the U.S. alone, there are approximately 5,754 hospitals registered with the American Hospital Association and almost 240,000 physician practices, according to market research firm SK&A. Some of the key challenges that healthcare organizations face today include:

·         They must not only safeguard sensitive patient information within their immediate sphere of control, but they must also ensure the security and privacy of the information shared with their vendors, contractors, and business partners;

·         They must comply with vague and non-prescriptive regulations at various levels with HIPAA, HITECH and meaningful use;

·         They must contend with the complexities posed by a wide range of business partners with differing capabilities, requirements and risk profiles; and

·         They must continuously address significant security, privacy and compliance risks in an effort to protect patient information.

“Healthcare IT professionals are at a critical juncture. With the move to electronic health records, complex regulations to adhere to, and sophisticated cyber security threats knocking at their doors, they have no choice but to improve their security skills and knowledge,” said W. Hord Tipton, CISSP-ISSEP, CAP, CISA, executive director of (ISC)². “Our new relationship with HITRUST underscores our joint commitment to address this problem and improve not only the skills of healthcare information security professionals, but also cyber security professionalization. We believe that an organization’s privacy and security programs are significantly enhanced when properly trained and experienced individuals are involved. As we look toward 2013, (ISC)² and HITRUST are thrilled to join forces to bring the healthcare IT market real solutions for educating, qualifying and certifying professionals in this field.”

This new cooperative development between HITRUST and (ISC)² will establish metrics for qualifications held by information protection professionals in the industry. In January 2013, the organizations will conduct a credential-building workshop, with several key contributors involved in the job task analysis (JTA) they are jointly working on. This workshop will help the organizations identify the major job requirements and subsequently the knowledge and skills needed by a healthcare information protection professional to fulfill these requirements.

Some of those participating experts include:

·         Cathy Beech, chief information security officer, The Children’s Hospital of Philadelphia

·         Kevin Charest, chief information security officer (acting), US. Department of Health & Human Services

·         Clara Cheung, senior systems manager (application infrastructure), Hong Kong Hospital Authority

·         Bryan Cline, vice president, CSF development and implementation, and chief information security officer, HITRUST

·         Jamie Crow, IT regulatory compliance analyst, Express Scripts

·         Leo Dittemore, director, IS security administration, HealthCare Partners, LLC

·         Michael Gerleman, director of audit and compliance, Availity

·         Kevin Haynes, chief privacy officer, The Nemours Foundation

·         Darren Lacey, chief information security officer, Johns Hopkins University/Johns Hopkins Health System

·         Taylor Lehmann, chief security officer, Independent Health

·         Joy Poletti, director – IT security compliance, Catholic Health Initiatives

·         John Sapp, senior director, information security and IT risk management, McKesson Corp.

·         Jason Taule, corporate information security and privacy officer, CSC Civil Health Sector

·         Ken Vander Wal, chief compliance officer, HITRUST

·         Jason Zahn, IT senior internal audit manager, University of Pittsburgh Medical Center

About HITRUST

The Health Information Trust Alliance (HITRUST) is a non-profit organization that was born out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST, in collaboration with healthcare, business, technology and information security leaders, has established the Common Security Framework (CSF), a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information. Beyond the establishment of the CSF, HITRUST is also driving the adoption of and widespread confidence in the framework and sound risk management practices through awareness, education, advocacy and other outreach activities. For more information, visit HITRUSTalliance.net.

About (ISC)²

(ISC)² is the largest not-for-profit membership body of certified information security professionals worldwide, with over 87,000 members in more than 135 countries. Globally recognized as the Gold Standard, (ISC)² issues the Certified Information Systems Security Professional (CISSP®) and related concentrations, as well as the Certified Secure Software Lifecycle Professional (CSSLP®), Certified Authorization Professional (CAP®), and Systems Security Certified Practitioner (SSCP®) credentials to qualifying candidates. (ISC)²’s certifications are among the first information technology credentials to meet the stringent requirements of ANSI/ISO/IEC Standard 17024, a global benchmark for assessing and certifying personnel. (ISC)² also offers education programs and services based on its CBK®, a compendium of information security topics. More information is available at www.isc2.org.

January 3, 2012 I Written By