The public continues to be bombarded by the media coverage and debate of President Trump’s support or non-support of the U.S. intelligence agencies’ position on Russia. What has taken a backseat is the substance and urgency of a possible cyber-attack. The purpose of this blog is to discuss the threats and its relevance to covered entities and business associates.
On Friday, July 13, 2018, Dan Coats, the director of National Intelligence spoke at the Hudson Institute and discussed the current national security threats against the US. He equated the current risk of a cyber-attack to terrorist attack threats prior to September 11, 2001. The following are a few quotes from his speech:
In 2001, our vulnerability was heightened…At the time, intelligence and law enforcement communities were identifying alarming activities that suggested that an attack was potentially coming to the United States. It was in the months prior to September 2001 when, according to then CIA Director George Tenet, the system was blinking red. And here we are nearly two decades later, and I'm here to say the warning lights are blinking red again. Today, the digital infrastructure that serves this country is literally under attack.
Every day, foreign actors — the worst offenders being Russia, China, Iran and North Korea — are penetrating our digital infrastructure and conducting a range of cyber intrusions and attacks against targets in the United States. The targets range from U.S. businesses to the federal government (including our military), to state and local governments, to academic and financial institutions and elements of our critical infrastructure — just to name a few.
All of these disparate efforts share a common purpose: to exploit America's openness in order to undermine our long-term competitive advantage.
Threat to Healthcare Providers?
Mr. Coats never mentions healthcare providers. So does this mean there is nothing to worry about? Probably not.
Back in January, the Washington Post reported about NotPetya, a 2017 a Russia-sponsored cyber-attack against Ukraine, designed to disrupt their financial system. The ransomware wiped computer data from banks, energy firms, and senior government officials. While 50% of affected computer systems were located in the Ukraine, the attack spread across the globe and affected systems in Denmark, India and the United States. Half of the victims were unintended targets of the attack.
If government-sponsored cyber-attacks are imminent, the NotPetya attack reminds us that another attack can easily result in collateral damage against unintended victims. Healthcare providers could easily become collateral damage, especially those who have not adequately prepared for a ransomware attack. In the healthcare context, that collateral damage can include costly HIPAA Breaches, and, more alarmingly, patient harm due to lack of utilities and electronic medical records.
Mr. Coats’ “red-flag” warning makes clear that cyber-security measures must be in place. The OCR recommends the following preventative security measures as part of HIPAA compliance:
- Complete a security management process, which includes a risk analysis and implementing security measures to mitigate or remediate those identified risks
- Implementing policies and procedures to guard against and detect malicious software
- User training so staff can assist in detecting and report attacks
- Implementing access controls to limit access to ePHI to only persons or software programs requiring access.