Resources tagged with:
HIPAA

Healthcare organizations of all shapes and sizes will be held to a stricter standard of cybersecurity starting in 2025 with new proposed rules, but not all have the budget for it.

Since the beginning, HIPAA has always been the best, yet insufficient, regulation dictating cybersecurity for the healthcare industry.

“[There’s] a history of the focus being in the wrong place because of the way HIPAA was laid out in the mid-1990s,” says Errol Weiss, chief information security officer (CISO) of the Healthcare Information Sharing and Analysis Center (Health-ISAC). “At the time, there was this big push to transfer medical and health records to the electronic medium. And with the advent of the HIPAA regulations, it was all about protecting patient privacy but not necessarily securing those records.”

HIPAA’s focus on privacy limited its ability to address more diverse cybersecurity threats in the 2010s, particularly ransomware. Meanwhile, instead of using it as a baseline for developing a robust security posture, organizations tended to treat HIPAA more as a set of boxes to check. “It ended up driving budgets toward compliance and not necessarily security. And in the past five or six years, we’ve seen what happens in an environment that’s not properly secured, not properly tied down, not properly backed up, when they’re hit by ransomware,” Weiss says.

“Even if they’re already following all the NIST controls,” Dispersive’s Pingree estimates, implementing the new HIPAA security rules “could cost as low as $100,000 for a small doctor’s office, or it could be many millions if you’re a big medical group.”

One possible way stretched healthcare organizations might navigate all these new rules and their associated costs is with an outsourced, virtual chief information security officer (vCISO), according to Weiss. Because “it’s not just about buying the technology. It’s also about recruiting and retaining the cybersecurity expertise that you need to run,” he says.

“These organizations don’t know where to start,” he continues. “The cybersecurity market is very confusing. There are a lot of players. There are a lot of solutions. So if you have $100 to spend on cybersecurity, where do you spend that? They need help to be able to figure all of that out. And I think something like a virtual CISO can help implement a strategy, and then be around on a virtual basis — to check in, to be a resource for that organization when they have questions and they need some help. It seems like a decent model for these small rural hospitals that could not necessarily justify or hire a full-time CISO.”

Read the full article in Dark Reading. Click Here

 

Experts: New Mandates Could Be Difficult, Costly for Many Entities

A proposed overhaul of federal cybersecurity regulations for the healthcare industry could mean difficult and expensive heavy lifting for many organizations, said experts.

“The costs to fulfill these provisions will be enormous,” said Errol Weiss, chief security officer of the Health Information Sharing and Analysis Center. “Where is the money coming from to pay for all this? It can’t be from future savings from avoided breach penalties. Financially strained healthcare providers, especially small rural hospitals, don’t have the resources to support these new proposals,” he said.

Any regulatory requirements like this will need to come with funding assistance so that healthcare providers can acquire the proper technology and, more importantly, recruit and retain experienced cybersecurity professionals to adequately protect their networks, Weiss said.

 

Read the full article in Bank InfoSecurity. Click Here

This week, Health-ISAC^®‘s Hacking Healthcare^® opens 2025 with a look at the new proposed revisions to the HIPAA Security Rule. After providing a high-level overview of what the U.S. Department of Health and Human Services (“HHS”) has put forward, we will dive into the analysis section to provide our thoughts on what is included and what the potential path forward for this revision might be as we transition to the Trump administration. 

Experts on Potential Data Security and HIPAA Privacy Changes in Trump’s Second Term

With Donald J. Trump set to return to the White House in January to serve another four-year term as U.S. president, what might the healthcare sector expect to see when it comes to his next administration’s cybersecurity priorities and HIPAA regulations and enforcement?

 

Excerpt from the November 6th article in BankInfo Security

“Any cybersecurity mandates for hospitals need to be accompanied by funding to support those programs,” said Errol Weiss, chief security officer of the Health Information Sharing and Analysis Center.

“Historically, hospitals have been underfunded in cybersecurity, leaving organizations without the technology, and more importantly, the experienced cybersecurity people to properly protect those networks,” he said.

 

Read the full article here.

Click Here

The Health Information Sharing and Analysis Center (Health-ISAC) has issued a warning to the healthcare and public health sector about cyber threat actors exploiting TeamViewer remote connectivity software. TeamViewer provides remote access and remote control of devices and is commonly used for remote IT support and maintenance.