The U.S. Department of Health and Human Services’ Office of Civil Rights has issued new guidance on cyber threats, advising HIPAA-covered entities to obtain the latest intelligence on new cyber threats that could potentially allow cybercriminals to gain access to the protected health information of patients and health plan members.
Threat intelligence is issued by many organizations, although OCR recommends in its guidance on cyber threats to regularly check the website the United States Computer Emergency Readiness Team (US-CERT) and to sign up for email updates.
US-CERT is part of the Department of Homeland Security, and has access to intelligence from many sources. US-CERT is responsible for analyzing all the gathered threat intelligence and issuing updates to businesses and the public.
The US-CERT reports cover the latest cyber threats, and are made available on its website. The reports also include new vulnerabilities, mitigations and details of new patches that have been released.
OCR advises covered entities to incorporate the information from US-CERT into their security management processes. Under HIPAA, the security management process requires covered entities to perform risk analyses to identify threats and vulnerabilities that could jeopardize the confidentiality, integrity and availability of PHI. Obtaining threat intelligence is an important part of the HIPAA security management process. If threats are not identified, action cannot be taken to mitigate risk.
OCR uses a recent US-CERT report on the Grizzly Steppe attacks as an example. The report has particular relevance for the healthcare industry. Grizzly Steppe is the name given to a group of Russian hackers that are conducting attacks on U.S. government organizations, the private sector, educational establishments and healthcare organizations. The intelligence gathered by US-CERT, and included in its Joint Analysis Report, informs organizations of the threat, the common methods of attack, and suggested mitigations that can be implemented to keep networks secure.
OCR’s guidance on cyber threats also explains the importance of sharing threat intelligence. When healthcare organizations experience security incidents, it is important that information about those incidents is shared with US-CERT. Reports can be submitted 24/7, and the information supplied can be used to warn other organizations about the risk of attack.
OCR says “Covered entities should report to US-CERT any suspicious activity, including cybersecurity incidents, cyber threat indicators and defensive measures, phishing incidents, malware, and software vulnerabilities.”