GNYHA Hosts Cybersecurity Simulation; Plans Learning Series

On May 9-10, GNYHA hosted Acurity-contracted vendor Sensato Cybersecurity Solutions in a comprehensive cybersecurity education and simulation event to help members evaluate their cybersecurity incident response plans and identify concrete ways to enhance them. Multi-disciplinary teams from 14 hospital systems representing approximately 85 facilities participated. Representatives from members’ emergency management, information technology (IT) security, operations, and biomedical engineering teams attended. Each team was given a workbook with key points for improving their plans.

Based on member feedback on the event, GNYHA is designing a multi-part collaborative learning series to help members prevent cyber incidents and enhance their response plans. The series will be open to all members.

GNYHA to Participate in Federal Cyber Workgroups

Since May 2017, GNYHA has been representing members in the Federal Working Group CISA405(d). The group of public and private sector stakeholders, led by the US Department of Health and Human Services (HHS), is tasked with creating a list of cyber guidelines and best practices for small, medium, and large health care providers and systems. GNYHA also recently joined additional working groups led by the Healthcare & Public Health (H&PH) Coordinating Councils. These include the telemedicine group, which is also creating a guidance document scalable to various-sized institutions, and the Regulatory & Policy group, which will crosswalk overlapping or conflicting regulations and generate a paper on incentives for health care sector adoption of cyber risk management best practices.

Information of Note

We are sharing the following information from various Federal agencies, which we think will be of interest to members.

Healthcare and Public Health Cybersecurity Challenges: Legacy Systems

The Department of Homeland Security (DHS) Office of Cybersecurity and Infrastructure Analysis (OCIA) released a report, “Healthcare and Public Health Cybersecurity Challenges-Legacy Systems.” It assesses how legacy systems present risk to hospitals because of their inherent vulnerabilities, known threat actor activity, and the potential economic loss. Legacy systems connected to a hospital’s network are a threat vector targeted by cyber actors to establish a presence on the network. Once a cyber threat actor is present on a device or system, they can launch additional attacks against a hospital’s network, exploiting vulnerabilities in critical systems. Please note that you must have an active Homeland Security Information Network (HSIN) account to access the product. If you are NOT a HSIN member, you can register for an account and join the Critical Infrastructure Community of Interest (HSIN-CI) by sending an e-mail with your first and last name, your employer, your e-mail address, and your reason for requesting access to HSIN-CI to CI-ISE@hq.dhs.gov. HSIN-CI members can also access all of OCIA’s past products.

OpenEMR Flaw Potentially Exposes Medical Records

The HHS Healthcare Cybersecurity and Communications Integration Center (HCCIC) has released information about a vulnerability affecting OpenEMR, which is a free, open-source electronic health records and medical practice management application. According to HCCIC, the vulnerability could lead to the disclosure, corruption, or loss of access to patient medical records and other patient data. OpenEMR features include patient scheduling, billing, prescriptions, and medical records management functions. OpenEMR is used at more than 5,000 physician offices and other small health care facilities serving an estimated 30 million patients in the US. Although the vulnerability was originally disclosed in November 2017, some installations remain unpatched, and at least one pen-testing company recently advertised its ability to exploit the vulnerability.

Cybersecurity Strategy Released

DHS released its new Cybersecurity Strategy, which outlines strategic and operational cybersecurity goals for the next five years. Directed by the National Defense Authorization Act (NDAA) of 2017, the framework details a sevenfold goal set under the five pillars of (1) Risk Identification, (2) Vulnerability Reduction, (3) Threat Reduction, (4) Consequence Mitigation, and (5) Enable Cybersecurity Outcomes. Guiding the goals are seven principles of risk prioritization, cost-effectiveness, innovation and agility, collaboration, global approach, balanced equities, and national values.