|
CHIME’s Board Chair Testifies on Change Healthcare Cyberattack
Key Takeaway: Last week, Scott MacLean, CHIME’s Board Chair and SVP and CIO of Medstar, testified on behalf of CHIME’s membership during a hearing held by the House Energy and Commerce (E&C) Health Subcommittee titled “Examining Health Sector Cybersecurity in the Wake of the Change Healthcare Attack.” Read Scott’s full written testimony here.
Why It Matters: Scott’s testimony included an overview of the healthcare cybersecurity landscape, the impact of the Change Healthcare cyberattack on CHIME members, and Congressional recommendations. Recommendations included establishing safe harbors for threat information sharing, designating certain cyberattacks as “all hazards” incidents to activate government response support services, and mandating third-parties and payers share responsibility for cybersecurity with providers, among others.
Scott was joined on the panel by Greg Garcia (Health Sector Coordinating Council), Robert Sheldon (CrowdStrike), John Riggi (American Hospital Association), and Dr. Adam Bruggeman (Texas Spine Center). Although UnitedHealth Group did not testify, the E&C Subcommittee on Oversight and Investigations has announced that they will on May 1.
| |
|
OCR Creates FAQ Webpage in Response to the Change Healthcare Cyberattack
Key Takeaway: The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has created a new website to share answers to frequently asked questions (FAQs) concerning the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Rules and the cybersecurity incident impacting Change Healthcare, a unit of UnitedHealth Group (UHG), and many other health care entities.
Why It Matters: The site answers questions and provides helpful information on many topics, including: Why did OCR issue the March 13, 2024, “Dear Colleague Letter”?; Why is OCR initiating an investigation and what does it cover?; – and more. One notable question answered is “Has OCR received breach reports from Change Healthcare, UHG, or any affected health care entities?” The response, in part, is: “No. Covered entities have up to 60 calendar days from the date of discovery of a breach of unsecured protected health information to file breach reports to OCR’s breach portal for breaches affecting 500 or more individuals.”
| |
|
FTC Releases Security Principles: Addressing Vulnerabilities Systematically
Key Takeaway: The Federal Trade Commission (FTC) has taken enforcement actions against companies with poor security practices, including failure to encrypt sensitive data, storing credentials in source code, and neglecting common vulnerability testing. In a recent blog post, the FTC shared Security Principles which emphasize addressing vulnerabilities systematically, rather than in ad-hoc ways. By adopting known approaches to prevent or significantly reduce common vulnerabilities, companies can enhance overall cybersecurity in complex systems.
Why It Matters: The FTC’s focus on systemic security measures underscores the importance of proactive risk management. Companies must prioritize security from the outset, eliminating entire vulnerability classes and minimizing risks. This approach aligns with industry best practices and aims to safeguard both consumer data and system integrity.
| |
|
CISA and Partners Release Advisory on Akira Ransomware
Key Takeaway: The Cybersecurity Infrastructure and Security Agency (CISA), the Federal Bureau of Investigation (FBI), and international partners released a joint Cybersecurity Advisory (CSA), #StopRansomware: Akira Ransomware. The advisory disseminates known Akira ransomware tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) identified through FBI investigations as recently as February 2024. Akira ransomware has impacted businesses and critical infrastructure entities globally, claiming $42 million (USD) in ransomware proceeds.
Why It Matters: The release of the joint CSA underscores the importance of addressing vulnerabilities systematically. Akira threat actors have evolved from targeting Windows systems to a Linux variant, impacting VMware ESXi virtual machines. Critical infrastructure organizations are encouraged to review and implement the provided mitigations to reduce the likelihood and impact of Akira and other ransomware incidents.
| |
|
HC3 Sector Alert: Update: Palo Alto Networks Firewalls
Key Takeaway: The Health Sector Cybersecurity Coordination Center (HC3) released an updated Sector Alert on Palo Alto Networks Firewalls. On April 12, Palo Alto Networks issued a warning about a known Common Vulnerabilities and Exposures (CVE), a zero-day command injection vulnerability found in its firewalls operating PAN-OS v10.2, 11.0, and 11.1 with configurations for both GlobalProtect gateway and device telemetry enabled. Palo Alto has released hotfixes, and organizations should review the updated security advisory to prevent serious damage to the Healthcare and Public Health (HPH) sector.
Why It Matters: There have been an increasing number of attacks observed against this vulnerability since its release. Threat actors exploit the CVE to set up backdoors, leveraging access to move through target organizations’ networks – with 156,000 daily instances seen. In the original advisory, it was believed that disabling device telemetry would work as an effective secondary mitigation, but the most recent update states that device telemetry does not need to be enabled for PAN-OS to be vulnerable to attacks.
| |
|
ONC Blog: Launching the DaVinci Prior Authorization Support (PAS) Test Kit
Key Takeaway: The Office of the National Coordinator for Health IT (ONC) announced that the DaVinci Prior Authorization Support (PAS) Test Kit is now available, providing developers and health IT implementers with a tool to test health IT systems’ support for prior authorization using the HL7® Fast Healthcare Interoperability Resources (FHIR®) standard. The test kit focuses on prior authorization support according to the PAS implementation guide version 2.0.1 and includes tests for clients (e.g., EHR systems) and servers (e.g., payer systems). By offering these tools, they aim to enhance interoperability within the healthcare ecosystem.
Why It Matters: The release of the DaVinci PAS Test Kit provides necessary tools for testing FHIR implementations of prior authorization workflows, ultimately advancing interoperability across use cases. During the HL7 FHIR May 2024 Connectathon, ONC plans to demonstrate draft test kits for other DaVinci implementation guides, including Coverage Requirements Discovery (CRD), Documentation Templates and Rules (DTR), and Payer Data Exchange (PDex).
| |
|
FTC Blog Posts on Recent Actions Against Companies Sharing Health Information
Key Takeaway: Recently, the FTC has taken law enforcement actions, with two more cases against companies that shared health information with third-party advertising platforms without consumer consent. You can find the recent blog posts here and here.
Why It Matters: According to the Commission, one company disclosed data that included sensitive health information about customers’ medical histories and prescriptions, and another disclosed information that revealed that users were getting help with alcohol addiction. Both companies are banned from sharing users’ health information for advertising. The FTC states that they "won’t back down in the fight to protect the privacy of consumers’ sensitive health data.”
| |
|
U.S. AI Safety Institute Expands Leadership Team
Key Takeaway: U.S. Commerce Secretary Gina Raimondo announced the expansion of the U.S. AI Safety Institute (AISI) leadership team. New members include Paul Christiano (Head of AI Safety), Adam Russell (Chief Vision Officer), Mara Campbell (Acting Chief Operating Officer and Chief of Staff), Rob Reich (Senior Advisor), and Mark Latonero (Head of International Engagement).
Why It Matters: The AISI was established within the National Institute of Standards and Technology (NIST), under the direction of President Biden’s Executive Order (E.O.) and aims to strengthen AI safety and security through top talent and international collaboration. The AISI’s executive team brings expertise in AI safety, civil society engagement, and international cooperation. Their work will shape guidelines, enhance safety, and foster global leadership in AI ethics and security.
| |
|
NSA AISC Issues Joint Guidance on Deploying AI Systems Securely
Key Takeaway: The National Security Agency’s Artificial Intelligence Security Center (NSA AISC), in collaboration with CISA, the FBI, and international partners, has published joint guidance on deploying AI systems securely. The guidance emphasizes confidentiality, integrity, and availability of AI systems and provides best practices for mitigating known vulnerabilities. Organizations deploying externally developed AI systems should review and apply this guidance to enhance their security posture.
Why It Matters: As AI adoption accelerates, ensuring secure deployment is critical. This guidance equips organizations with actionable steps to protect AI systems and related data against malicious activity. Organizations deploying externally developed AI systems should review and apply this guidance to enhance their security posture.
| |
|
Data & Models: A Quote Book from the FTC Tech Summit on AI
Key Takeaway: The FTC’s Tech Summit on AI convened three panels that each highlighted different layers of the AI tech stack: hardware and infrastructure, data and models, and front-end user applications. This second Quote Book, which you can find here, is focused on data and models. A recent post from the Commission outlines the intended purpose of the quote book, a summary of the panel, and relevant topics and actions raised by the FTC.
Why It Matters: The “Quote Book” is a resource to quickly distill various perspectives on topics, from ways to enable competition and innovation to potential consumer concerns like data privacy, labor issues, deceptive messaging, and more. The FTC pledges to be vigilant in evaluating these issues as the agency pursues its joint competition and consumer protection mandate. Additionally, the Commission has taken recent action to deepen its understanding of competition among some AI model developers.
| |
College of Healthcare Information Management Executives (CHIME)
| | | | |
