Ok, so the GDPR “deadline” has passed, but many of you are still tying up loose ends – or perhaps just discovering that the law applies to you! Whatever the case, don’t let confusion over a few terms slow your progress. Some vendors got together to create a great glossary page that defines all the key terms.

If you’re still uncertain about what you need to do, the official GDPR page summarizes the key points in a dynamic infographic.

Need to get GDPR compliant and don’t have time or expertise to learn all the rules? Third Rock can deliver a complete GDPR Assessment with a prioritized list of corrective actions in just 5-7 business days for any size organization. Plus, based on your assessment results, we can help you determine whether you need additional help from us or one of our technical partners.

Third Rock is all about Complete Cyber Confidence. Contact us today to achieve Complete GDPR Confidence.

If you are not yet GDPR-ready, you’re not alone. Many companies are still scrambling to meet the requirements. Some U.S.-based companies didn’t realize the law would apply to them. Others did not realize the full extent of the law – or of their own data collection! 

Don’t worry – whether starting from scratch or needing to document your current GDPR status, Third Rock’s CyberCompass™ streamlines the assessment process and automates the report generation, making it possible for Third Rock to give you a full report, including a prioritized list of action items, within a few days. Then, if needed, our consultants and technology partners can work with you to address the action items and come into compliance. Contact us today to schedule a GDPR assessment, the first step in becoming compliant.

GDPR – Automated. Simplified. Affordable.

Last month Robert Felps and I were fortunate to attend THA’s inaugural Texas Health Care Security & Technology Conference. Great speakers, wonderful host and facility, collegiate atmosphere – a great learning experience overall. Hats off to Fernando Martinez, THA’s Chief Digital Officer, and his team for a great couple of days. Here’s a brief recap of the key takeaways.

REALITY

1. Cyber threats are dynamic. Bill Virtue reminded us that there have been more than 4000 ransomware attacks per day since the beginning of 2016 (that’s 2,892,000 attacks in 2 years!), and Michael Echols reported that the cyber criminals are continually learning and sharing information.

2. Patient safety is at stake. Randy Yates, Bill Phillips, and Bob Chaput all gave examples of how the proliferation of medical IoT presents an increasing risk of patient harm if an attack shuts down or alters the performance of both diagnostic and treatment equipment, including CAT scanners, ultrasound machines, infusion pumps, and ventilators. 

3. The real financial impact of a breach can be 10x the OCR fine! The hard costs of notifications can add up quickly, the most common being legal fees, lawsuits, technology support, forensics experts, increased marketing costs, and increased staff time. The less tangible costs of brand damage will be evident in the bottom line. The examples were sobering.

Before everyone fell into complete despair, however, each speaker also offered guidance and remedies – as Bob Chaput of Clearwater put it, “No matter where you are, there is a path forward.” Below are key themes of the speakers’ recommendations, which I’ve labeled “reality management” because another key takeaway from the conference was that there is no such thing as being “done” with cybersecurity because cyber risk management is an ongoing process.

REALITY MANAGEMENT

1. Cybersecurity is risk management. This was the title of Michael Echols’ presentation and pretty much sums up all the points that follow.
2. Cybersecurity is a team sport. IT cannot and should not be managing cybersecurity in isolation. Everyone in the C-suite needs to understand the role they play in keeping patient data safe and the steps they need to take to get their managers and staff on board.
3. A Security Risk Assessment is the essential first step. “You can’t secure your system if you don’t know where the vulnerabilities are.”
4. Any device or equipment that connects to the network must be included in the SRA. Even devices that don’t tie directly into the EHR, such as a remote-controlled thermostat on the blood refrigeration unit – or the aquarium in the waiting area! – can be a point of entry for a malware attack.
5. Cybersecurity requires a holistic, programmatic approach. A single, new cybersecurity technology will not make your organization secure. Once the vulnerabilities have been identified via the security risk assessment, addressing those vulnerabilities will require administrative action, process improvements, and staff education and reinforcement, as well as technology adjustments. See #2 – cybersecurity is a team sport.
6. Establish an incident response plan – and practice it regularly. Organizations that prepare recover faster and incur fewer costs – hard and soft costs – in the event of a ransomware attack or other breach.
7. Bottom line: Start now – and continue! Cyber risk management is a continuous improvement process.

In summary: (1) the threat is real and persistent; (2) technology alone won’t solve the problem.

If you’ve been an active cybersecurity player, there are few surprises here. Hopefully, however, it is reassuring to hear that you’re on the right path, and you’re not alone – hospital executives across the state and across the country are working hard to get out of the fire-fighting business and into holistic cyber risk management.

Building a CyberConfident™ World

Third Rock would like to take this chance to salute the nation’s Nurses for their role in patient safety – clinical safety, physical safety, and cyber safety. It’s nurses of all types who are on the front lines of protecting patients from cyber threats – such as identity theft. ransomware, and device hacking –  by practicing good “cyber hygiene.”  Good job, nurses – THANKS for all you do to keep all of us cyber safe!

In our conversations with healthcare practice managers and CIOs – whether at small-to-medium practices, dental offices, outpatient facilities, or hospitals – we’ve found that few leaders feel confident in their organization’s ability to protect against and respond to cyber threats. Managers of smaller organizations have told us “It’s like a monster out there just waiting to get us, and there’s nothing we can do about it.”

Even CIOs at larger organizations who feel confident about having the right technologies and procedures in place admit that they have little interaction with the Compliance Office that manages staff education and little control over mobile devices. The result – they feel exposed, just waiting to see/hear where a breach has occurred.

As a general rule, frightening already frightened people does not promote the kind of thoughtful, proactive behavior required for a sustainable approach to cybersecurity. To get that kind of behavior, organizational leaders and their staff need to feel cyber confident – not just that the IT department is doing its job, but that they themselves feel knowledgeable about the threats they are facing and how to defend against them. So what can leaders do to increase their own cyber confidence and promote a culture of cyber confidence within their organizations?

1. Complete a Security Risk Assessment – Trying to secure your organization without a thorough assessment of its particular vulnerabilities is like trying to diagnose a patient’s illness based on the survey results of “the most common illnesses for men age 35-50.” Organizations face many of the same threats, but the vulnerabilities vary significantly from one organization to the next. The formal Security Risk Assessment is typically a coordinated assessment of all departments in an organization at the same time. 
2. Locate – and document the location – of all your business data. Your business data – customer records, employee records, financial transaction data – should be inventoried as carefully as any other business assets. To ensure that it is protected, you must first know where it is! Again, this is NOT just a job for IT. Mobile devices, printers and fax machines (yes fax machines are still alive and well), medication dispensing machines, and the computer workstations scattered around every department in your organization are all likely repositories of business data. Note the location, serial number, and data types on each device.
3. Train your workforce – Cybersecurity is now part of everyone’s job. Be sure every member of your workforce – including student interns, volunteers, clerical staff, and managers – receives cybersecurity training and can demonstrate the correct procedures for safeguarding customer data. See Ed Jones’ post on How to Grow Cyber Security Awareness Heroes for more detail on this topic. 
4. Implement up-to-date Information Security Policies & Procedures – If you purchase templates, be sure to customize them to accurately reflect the data management practices and technologies at your organization. And purchasing them is not enough – each Policy and Procedure must be implemented. That means making sure every member of the workforce is aware of and understands the policies and procedures that apply to their respective role and that managers or members of the compliance team follow up, observe, and retrain as necessary to ensure they are being followed.
5. Implement a Risk Management Process – A Risk Management Plan is exactly what it sounds like – a plan for addressing each of the risks identified in the Security Risk Assessment. It should cover all departments and be reviewed regularly to assess progress on any corrective actions. We recommend reviewing the plan at least monthly. Integrating the review into monthly staff meetings, if you have them, is a good way to build cybersecurity and risk management into your standard operating procedures. 

It’s true that IT plays a significant role in assessing and securing your organization’s data stores, but everyone plays a role in keeping your organization’s business data secure. Taking these steps to secure the data and address the risks under your own control will have the added benefit of increasing your own cyber confidence and building a culture of cyber confidence.

If your organization needs a security risk assessment, compliance management plan, or cyber security plan; or you have concerns about your cyber security and would like to improve your cyber confidence and compliance, please contact us at:  info@thirdrock.com

Protect your Clients. Protect your Organization. Protect Yourself.™

In many organizations, cyber security is perceived as one of those “important-but-not-urgent” issues that keep getting put off in deference to the pressing issues of the day – insurance denials, staffing, readmissions, patient no-shows, supply shortages…the list goes on.  It’s not that organizational leaders are doing nothing. In most organizations, the basic pieces, such as a HIPAA-compliant EHR, firewall, anti-virus software, and staff training, are all in place. It is these very safeguards, though, that can give leaders a false sense of security, making them complacent about day-to-day risk management. For instance, how vigilant are you about each of the following:

1. Reviewing the audit log from your EHR system for suspicious activity – and following up?
2. Reviewing the network activity log and addressing any suspicious patterns?
3. Ensuring that system and facility access for all departing employees is completed at the time of departure?
4. Ensuring that all software patches are implemented asap after release?
5. Regularly reviewing and addressing the issues identified in your Security Risk Assessment (we recommend at least monthly)?
6. Conducting ongoing security training for all members of the workforce (not just once per year)?
7. Applying sanctions to members of the workforce – including physicians – who put information security at risk with unsafe practices?
8. Ensuring the security of new medical devices before deploying them on the network?
9. Documenting and periodically reviewing all “security incidents”?
10. Completing a new Security Risk Assessment after a major organizational, facility or IT change?

Don’t get me wrong – I know it’s hard to do all of this! It requires time, money, and knowledgeable staff.

Here’s my take on overcoming these three very common roadblocks to risk management.

Time – “I don’t have time…My staff doesn’t have time.”

Ask yourself, “When I am breached, where will I find the time to deal with the fallout?” Spending 1-2 hours per week (e.g., first thing every Fri morning) delegating and following up on the issues above could greatly minimize your risk of a breach, the extent of a breach if one happened, and the OCR fine should a breach or random audit occur.

Money – “It costs too much…Those costs shouldn’t come out of my budget – that’s IT’s responsibility.”

Whose budget will pay the breach remediation costs? One medium-sized medical practice (20⁺ providers) spent more than $1 million on patient notifications alone after experiencing a breach. Cyber insurance will cover some of the costs, but most organizations are under-insured and find themselves paying legal fees, increased operational costs, and fines while experiencing decreased revenues due to the negative reputational impact. Don’t be penny wise and pound foolish. Find the money to invest in information security before a breach occurs. And if the accounting system is a barrier, lobby your peers and CFO to make “information security” a line item in everyone’s budget.

Knowledge/Skill – “I don’t know how…My people don’t know how.”

The OCR adheres to the general legal guideline that “ignorance is no excuse.” Numerous free resources are available on the OCR’s website, and multiple vendors offer relatively low-cost HIPAA training courses for clinical staff and compliance officers. There are also service providers that can provide monthly or quarterly cyber security support services if your own IT staff lack that expertise. Teach yourself, go to training, or find someone knowledgeable to help you. Don’t let ignorance keep you from protecting some of your organization’s most valuable assets – your patients’ information and your professional reputation.

Contact us today – 512.310.0020 or info@thirdrock.com for more information on completing a security risk assessment, developing a risk management program, or becoming a Partner to make these or related services available to your clients.

Protect your Patients. Protect your Organization. Protect Yourself!

For decades, healthcare medical devices functioned as freestanding tools. Glucometers, lasers, infusion pumps, pressure monitors, neonatal incubators, heart monitors – each serving its unique function independently of the others. With the widespread implementation of electronic health records (EHRs), however, and the push for increased digitization of health information, these devices have increasingly been networked into the patient information ecosystem.  They now transmit PHI between a myriad of systems including the EHR system, bed management, supply chain management, and billing systems.

The variety and use of these devices have proliferated. The HIMSS Medical Device Security Workgroup reports that hospitals and similar healthcare delivery organizations typically have “300% to 400% more medical equipment than IT devices.” In a study of US hospitals cited in Wired Magazine (3/02/17), ZingBox reported an average of 10-15 connected devices per bed. That translates into approximately 4500 connected medical devices for the average 300-bed community hospital – and up to 75,000 devices for a large metro medical center with 5,000 beds!

Are devices vulnerable to hacking?

To date, the number of medical device breaches and the number of patient records exposed by those breaches has been seemingly negligible when compared to the large-scale data losses due to hacks of healthcare organizations’ primary IT systems or losses of unencrypted mobile devices. But there have been hacks, and there are several reasons to expect medical devices to be increasingly exploited:

• As more medical device developers rely on off-the-shelf operating systems to speed development and/or facilitate integration with other systems, the vulnerabilities of the parent code are transferred to the devices, increasing their vulnerability.
• The increased networking of devices makes them a more attractive target for hackers because they provide additional points of entry to other systems.
• A Trend Micro study found a large number of devices to be discoverable on Shodan, a search engine routine for connected devices.

In fact, a study by Ponemon Institute found that 67% of medical device makers expect an attack on their devices in the next 12 months!

Didn’t the FDA pass regulations to fix this?

Yes – and no, depending on who you ask. The FDA is quoted in many news articles saying that medical device manufacturers are responsible for complying with “quality system regulations” (QSRs), which include requirements for addressing cybersecurity risks, but both law firms and industry executives say the compliance environment remains murky:

• Some devices have been downgraded from “Class III” – high risk and mandatory compliance – to “Class I” – low risk and “unregulated,” though they still could pose a cybersecurity risk.
• Once a device is in use, it’s not clear whether the device manufacturer or the healthcare delivery organization is responsible for continued patching as cyber threats evolve.
• The FDA doesn’t actually test medical devices for their compliance with the QSRs.
• Reporting of device malfunctions, including cybersecurity breaches, to the FDA is voluntary.

Know-how and budget are also factors.

Because cybersecurity of devices is still a relatively new concern in the medical device and healthcare delivery industries, lack of knowledge regarding both the threat and the appropriate risk management responses remains a problem. The ZingBox study also found that 70% of healthcare IT decision-makers believe that the same security solutions used for laptops and servers are sufficient for all their connected medical devices, a misconception that the report goes on to explain.

Despite two-thirds of medical device manufacturers anticipating an attack on their devices, only 15% of study respondents anticipate taking measures to mitigate the risk! Senior executives in the field say it usually comes down to budget and production deadlines. Because cybersecurity protections don’t improve device performance in terms of clinical care, it is often looked upon as a cost. Similarly, when cybersecurity flaws are discovered too far into the development process, decision makers often determine that the rework required to build in the cybersecurity protections is too costly. So devices go to market with known cybersecurity flaws.

So what to do?

As a healthcare delivery organization, you are the gatekeeper between the medical device vendors and patients. Regardless of who is technically at fault for a medical device breach, if a breach were to occur, it would be your patients’ information lost and your reputation damaged!  Thus it is up to you and your organization to set the standard for medical devices coming into your organization and to include medical devices in your annual security risk assessment.

Start by requesting information from your device vendors about each of the device types on your network using the Manufacturer Disclosure Statement for Medical Device Security ((MDS)²) which was collaboratively developed by the National Electrical Manufacturers Association (NEMA) and the Health Information and Management Systems Society (HIMSS).

Finally, if you have questions about assessing the risk of an Internet-connected device or need help completing a comprehensive Security Risk Assessment, contact us at info@ThirdRock.com or 512.310.0020.

The 2017 Global Information Security Workforce Study (GISWS) released in February 2017 forecast a shortage of 1.8 million cybersecurity workers by 2020, while a study by Cybersecurity Ventures estimates “3.5 million unfilled cybersecurity jobs” by 2021. While the projected magnitude of the shortfall varies from one study to the next, government experts, consultants, and pundits alike are unanimous in predicting that the current shortage of qualified cybersecurity workers will only get worse for the foreseeable future, a situation Steve Morgan has called “the greatest cyber risk of all.”

There is less agreement about why the shortage exists and, therefore, how to fix it.  The traditional school of thought is that educational institutions haven’t prepared enough graduates to meet the growing need. The implied solution from this perspective is to increase educational capacity by creating new programs and increasing enrollments in all programs through better marketing and outreach efforts. Outspoken critics of this perspective, however, say that cybersecurity is not an entry-level position and that graduates of cybersecurity programs lack the technical depth required to be effective.

These critics offer an alternative perspective – cybersecurity professionals are not trained in the classroom but must be developed on the job after gaining expertise in IT operations. So rather than casting about externally for cybersecurity talent that isn’t available, IT managers should be looking within their own ranks for people who could be trained in security. For instance, in a 2015 Computerworld column, “The myth of the cybersecurity skills shortage,” Ira Winkler wrote, “The best security practitioners have experience in the technology and processes that they are supposed to secure…If you have no experience as a system administrator, you cannot maintain the security of a system.” He goes on to say that most of his work as a security professional has been to shore up poorly designed, poorly configured, and poorly maintained systems, which requires IT knowledge, rather than using hacking knowledge he gained in his training. But this perspective also has critics.

A third point of view is that IT managers who only look for security professionals with IT/computer science credentials are creating the shortage through their own myopia. In a Harvard Business Review article, Marc van Zadelhoff, General Manager of IBM Security, describes IBM’s approach of creating “new collar” jobs. They look for people with “unbridled curiosity, passion for problem solving, strong ethics, and an understanding of risks” – characteristics that can’t be taught – and then train them in the necessary technical skills through on-the-job programs, vocational and community college courses, and industry certification programs, such as those offered by (ISC)². Supporting this view is the finding in the Global Information Security Workforce Study that 87% of current cybersecurity workers began their career in another field, some in other IT roles but many in non-IT fields.

So what’s the answer?

Like most difficult organizational problems, there is no single cause and, therefore, no single solution. Addressing the cybersecurity personnel shortage will require focused and creative efforts on the part of educators, managers, trade associations, and employees alike.

• Educators need to work closely with industry to identify the needed knowledge and skills to integrate into existing curricula or to serve as the basis for new programs.
• Managers, meanwhile, with support from HR and other training resources, may need to create their own internal on-the-job training programs for existing personnel, creating opportunities for lateral moves into security positions.
• Managers may also need to cast a wider net for potential security talent as IBM has done, looking for people with the necessary character and an eagerness to learn outside the IT ranks.
• Trade associations, such as ISSA and (ISC)², can pool resources to raise awareness of high school, college, and midcareer professionals of available cybersecurity career options and the paths available for acquiring the needed knowledge and skills.
• Workers already in cybersecurity positions will need to adapt to their role as teacher/mentor to those moving into security positions, respecting those with non-IT backgrounds as possibly bringing in fresh perspectives.

Finally, even if there were an excess of cybersecurity pros, they cannot safeguard an organization alone. All workers, managers, and executives, from the front desk and loading dock up to the C-suite must come to recognize that cybersecurity is now a part of everyone’s job! More on this in the weeks to come.

Is a personnel shortage putting your organization at risk? Contact us for a third-party Security Risk Assessment to find out: 512.310.0020 or info@thirdrock.com.

MACRA Deadline Approaching – Schedule your SRA today!

In an effort to help medical practices maximize their Medicare reimbursements by meeting MACRA requirements, Third Rock is offering a 20% discount for our Security Risk Assessment package if you schedule your SRA with Third Rock by December 8th.

Our tool, CompassDB, makes doing an SRA fast and easy.

Our package offer includes:

✓ Security Risk Assessment and detailed report
✓ A Security Risk Management consultant available onsite or online
✓ Custom Policies and Procedures
✓ Prioritized Corrective Action Plan
✓ On-demand training for Staff and Compliance Officers
✓ One year access to our online compliance management tool
✓ Remote customer service for one year

Contact Julie Rennecker at 512-310-0020  x113 today to schedule your SRA.

Questions?  Email Julie.Rennecker@thirdrock.com

The Health Care Compliance Association Regional Conference will be held in Houston on Dec. 8, 2017.
Third Rock’s COO, Ed Jones, PMP, CHSP, will be participating on a panel discussing the importance of Patient Information Privacy along with representatives from THSA and Winstead, PC.

Members of our Third Rock Team will also be in Dallas on Dec.14 & 15 for the Cybersecurity Forum at the Dallas Health IT Summit. The Cybersecurity Forum brings together experts in healthcare IT security and privacy issues to discuss key trends in the IT security/privacy sphere, and the top challenges facing the leaders of patient care organizations in this critical area.

For more information on these events and others, please visit our events page.  We welcome you to attend!  Contact us at info@thirdrock.com if you would be interested in having a member of our team present at one of your events.