secalerts.co/news/no-federal-funding-for-us-healthcare-providers-lacking-cyber-security/4VFNjpb6oxtJyqRW2jFOyh
The US government is laying down the 'cyber law' for healthcare providers and will outline requirements for hospitals to establish basic digital cyber security defences ... or miss out on receiving federal funding.
News - GeneralTwo guys I know from WGU both got jobs in the Healthcare system. Healthcare seems to take security pretty seriously, which is nice since so they have so much personal info.
Being a network security engineer at a large hospital can vouch we take security very seriously and the budget for it is HUGE.
Cybersecurity degrees?
Yes, WGU offers Bachelors and Masters. You get all of the Certifications along the way of the Degrees. E.X. A+, Security+, Linux LPI, Pentest+, CYSA, ISP, etc.
Thats what Im saying, more for me lol
This isn't yet an actionable requirement. HHS hasn't released new requirements.
“The government is homing in on those key cybersecurity practices that we really do believe bring a meaningful impact,” said one senior administration official, who asked to remain anonymous, adding that practices like these “shut the door to most of our cyber incidents.”
Any actual changes have to go through the usual comment period.
HHS has released a concept paper here, but that's far from binding.
It's still a signal to the industry that change and additional regulations are coming in one form or another.
that's far from binding
Unfortunately, that won't stop people from treating it as gospel and running with it.
See people getting all lathered up over EO 14028 as an example of such incompetence.
The article didn't even provide a single source. Thanks for sharing something actually useful to work with.
Your healthcare and insurance bills are about to jump (more than they would've anyway).
Here's hoping it's good news for the people working in this sector, taking the vague wording in HIPAA and turning it into something actionable and scorable. Also hoping data-snorting companies like Meta & Google are held accountable and to a higher standard.
...not holding my breath.
They don’t need an excuse to raise the bills, but this will give them cover for sure. This is needed, however. I’ve worked in healthcare for a large portion of my career and cybersecurity is still seen as a nuisance and necessary evil. And god forbid you have physicians running the company. They all think they know everything, but my experience has been quite the opposite. They might know medicine but that’s usually where their expertise ends.
I have been in cybersecurity for going on 20 years now and I have always wanted to pivot to working for hospitals or companies that do good..... but then I hear stories of chronic underfunding and general chaos and no thanks, if the org is not ready to support the effort then there is no hope.
Lawyers and doctors. Just don't do it.
I’ve been in healthcare IT and adjacent to it. On the security side, I’ve seen lots of reports that show internationally overall healthcare makes up around 60% of cybersecurity incidents and attacks, in particular ransomware. I’ve seen it happen a half dozen times personally even to small practices. Some of these offices even buy cybersecurity insurance instead of investing in critical infrastructure and BCDR systems! And insurance pays out to the hackers in bitcoin and half the time the office still didn’t get their data unlocked!
just gotta find the right one. I work for a large healthcare system who takes security very seriously. We're part of the H-ISAC and share stuff between each other.
The bad part is it takes forever to change the way anything is done and adding new tech is difficult to say the least. We usually stick with a brand we know like Cisco because legal has signed off on them, etc rather than looking for a newer, better solution.
I am going to add that H-ISAC question to any Hospital that i do consider applying to. I still like the idea of working for a good organization and that is a good filter.
And yeah, the legal/procurement nightmare is pretty universal, I always add 3-6 months just for them on any new project
*Edit, meant to say Hospital instead of bank
Is it remote-friendly or do you have a room in the hospital you have to report to? I always imagine working for a healthcare system means outdated equipment in an outdated dreary small room. I'd love to work for a healthcare system in theory (for the cause) but would be wary of the bureaucracy and lack of investment into employees
fully remote
there are offices though, no one works in hospitals from ITSEC
Can comment on the other person that I was fully remote doing help desk level 1. I got a nice Jabra headset to use too. Higher level jobs like an analyst I knew got standing desks for home
Oh sweet. Was this during COVID times or do you know if it's still like that? I would expect a hospital to be the last place to be remote friendly especially at entry level so that's good news
I left there as a contractor a year ago when it was like that. Oh, that's the other thing I forgot to mention is that I was not actually employed directly by the hospital but as a temp contract but still fully remote. The remote employee on our team that was the farthest away was about 1,000 miles and I was about 300 miles away to give you an idea. That guy was grandfathered in though from what I was told
entirely depends on the org
Hospitals are part of the holy trinity of buffoonery -- along with banks and gov't.
A hospital I worked at spent a lot of money (I think around a million) on Crowdstrike. So, I would suggest to work there and still be able to do good knowing Crowdstrike has hospitals as clients.
Your username is fantastic.
I've worked as cybersecurity leader in healthcare for years - we could probably have a great conversation over a few drinks, you and I...
With this coming about I would think more jobs would open up
It will be a bonanza for consulting firms to do more compliance projects
What type of consulting firms? I'm trying to get into GRC
Accenture, Deloitte, EY, KPMG and PwC, IBM plus a bunch of smaller consultancies and most GRC software companies. It’s almost always high travel (unless you live near a large number of clients or specialize in Federal gov), but pays well.
I have a clearance and sec+ so I meet the bare minimum requirements. Haven't had luck finding the companies that do compliance. I'll check out these and do some linkedin networking.
Thanks!
If you have clearance, most of them have large federal cybersecurity practices that serve government and government contractors where they’re looking for cleared or clearable personnel.
Some are organizationally fragmented and have GRC people sitting in both Consulting and Assurance divisions - in case it affects filtering in the careers section of their websites.
I like drinks. It’s how I’ve been able to muddle through for the last 20 years :)
Physicians are mostly assholes, self absorbed and they think they are gods, some of the worst people on the planet, seriously.
That's a stereotypical surgeon personality but not necessarily representative of the other specialities
Yea for sure. There’s allot of good hearts out there unfortunately there is also allot of greed, judgment, competition, etc and it mucks it all up.
I’ve had docs INSIST they needed windows server as their desktop OS. It’s gotta be better, right? The CEO (another doc) couldn’t understand why he wasn’t a domain admin!
We aren’t going to give you domain admin until you prove you are “master of your domain!”
Can confirm, I work in healthcare IT, had to explain to a Doctor in 2023 how to press the triangles on his inbox folders in outlook to expand them and see the contents.
Not just HIPAA, but FDA guidance on medical devices which contain software or straight up are software, has made security a much higher priority for medical devices.
I expect more difficulty in anything that has to go through a 510(k).
I've walked into auxiliary buildings for hospitals with server closets wide open, with "do not close door" signs on them.
I'm not convinced they will care.
Let’s start with a law that prevents hospitals and healthcare providers from demanding that patients hand over their valuable identity documents, specifically, a government-issued photo ID, without any guarantees about how they’ll safeguard your ID, including a mandatory rule that hospitals and healthcare providers must hand the patient, 1) A copy of the provider’s Data Security Policy. Trying to get them to hand that over currently is like pulling teeth. 2) Financial reimbursement for every patient record accessed in a data breach and/or allowing a patient to sue for damages when a data breach occurs containing their data.
Establishing serious financial penalties is the only way to get the attention of healthcare providers who presently refuse to spend real money on security.
You mean like HIPAA?
HIPAA cannot stop a healthcare provider from demanding you hand over ID documents.
Healthcare providers don't just require IDs for the fun of it. CMS, a government entity, requires ID verification to prevent fraud. It's in the conditions of participation. Other insurance companies do as well.
HIPAA requires healthcare orgs and their Business associates secure your ID documents against unauthorized disclosure.
And that’s the problem. You have healthcare organizations that don’t provide adequate security and protection, yet at the same time, demand that people hand over their valuable ID documents.
There are multiple ransomeware attacks weekly. At present, consumers are told by healthcare: “Oops, your data was stolen in a cyberattack. Here’s 2 years of credit monitoring. Good luck.” You can’t tell people their ID documents are valuable and then treat them as if they’re not.
The part you don't see is the large fines these organizations face from the OIG if you're not adequately securing data.
Simple truth though, the cybercriminals already have your IDs and they don't need to breach a hospital to get them. Your financial institutions, your local government, state government, federal government, court systems, credit agencies, and nearly every company you do or have done business has already been breached.
Why then continue to support a broken system that in addition to not taking security seriously, places the burden on the victims of cybercrime?
So hipaa/hitech act 2.0?
HITECH was kinda HIPAA 2.0. So this would be HIPAA 3.0a?
At least!
I think that’s largely presumptuous that they’d lose funding, at least in the early stages. In fact, it’s probably the opposite if they don’t yet meet qualifications. A lot of hospital systems are still small. But they are implementing new requirements. Personally I think more screws should be put in the large vendors and medical device manufacturers who refuse to update their shit because “it only works with Word 2007.”
Nevertheless here’s the Healthcare Cybersecurity strategy
https://aspr.hhs.gov/cyber/Documents/Health-Care-Sector-Cybersecurity-Dec2023-508.pdf
Why stop it just at Healthcare, we should mandate minimum security standards for any websites that take personal information. Like let's ban md5 for password hashing, let's require MFA, Etc. There's so many small little things that can be done to dramatically increase security.
WHOA WHOA WHOA STOP SHUT UP
Have you ever used the internet in a foreign country? Particularly Korea or Japan? Because what you’re describing is what they do and it is fucking TERRIBLE
I really wish we had that in Canada
No you don't.
It's compliance masquerading as security.
The standard really isn't a standard -- and as such organization interpret shit that isn't in HIPAA as if it was in HIPAA.
20 years too late
I think there should be civil penalties for PII/PHI loss well above the "We'll give you a free year of this crappy ID protection service." deal. Identity restoration is extremely expensive as well as stressful.
There should be an added penalty for any use of HIPPA.
Straight to jail. Right away.
Do you mean sensitive PII, or a HIPAA violation? HIPAA is a piece of legislation
They (government) can’t even manage their own money or their own security. Don’t think they deserve to tell others how to run their business.
When it’s been left to hospitals to run their own digital security over patient records. They’ve shown they do a shit job at it.
They’ve shown they do a shit job at it.
News flash... HIPAA hasn't improved that.
HIPAA has created an additional burden of paperwork and check the box compliance exercises for both patient and front line care provider.
But it hasn't improved security.
What HIPAA has done is increase the cost of an incident by 10% over the past few years but the number of incidents aren't going down.
In H1 of 2022... the most current data I found at a glance, hospitals experienced 337 data breaches affecting nearly 20MM patients.
1) It isn't an abnormal process for industry standards (or any laws to be honest) to begin very high level and then start requiring more specific things. I agree with you that without details HIPAA isn't very useful, but the lifecycle of legislations is just way slower than what the IT industry is typically used to (or even need).
2) The fact that hospitals suffered breaches or not isn't evidence for HIPAA usefulness or not. Even industries with very serious security needs get breached all the time.
The fact that hospitals suffered breaches or not isn't evidence for HIPAA usefulness or not.
That's pure nonsense.
The preponderance of opinions in this thread is that HIPAA is needed for security.
The data does not support your or those opinions.
That's pure nonsense.
Lol. Amazing argument here. A lot of things can impact how common are security incidents, you can't just link those two things arbitrarily.
Every year there's more and more road accidents, does it means that transport security legislations are useless? No, it just means there's more and more cars on the road, or that somehow the risk profile has changed. 15 years ago ransomware attacks weren't as common as today, and orgs like hospitals weren't really common targets, don't you think it could have an impact?
The preponderance of opinions in this thread is that HIPAA is needed for security.
Well, historically legislations and industry standards have been quite successful in making executives take security more seriously. In fact, a shitload of organisations started their security programs because they were suddenly legally compelled to do so! We can certainly do things better, but to just claim that HIPAA is useless (and I guess should be just canned?) is wild.
The data does not support your or those opinions.
The way you weirdly linked a statistic regarding the number of incidents to justify or not HIPAA usefulness raise questions about your ability to interpret such data.
Lol. Amazing argument here. A lot of things can impact how common are security incidents, you can't just link those two things arbitrarily.
I researched this, I stratified the variables, I looked at actual numbers.
All you've posted is personal opinion.
Amazing argument and LOL indeed.
but the lifecycle of legislations is just way slower than what the IT industry is typically used to (or even need).
You're essentially making part of u/hunt1ngThr34ts 's point for them.
Ha!
This sub never ceases to crack me up.
You're essentially making part of u/hunt1ngThr34ts's point for them.
Which point?
That the government "can't even manage their own money" (which is irrelevant)?
That their can't do "their own security"? (which is also irrelevant - the people working in the fed internal security programs aren't the same people working on laws and regulations).
Or that the government doesn't "deserve" (wtf?) to enact legislations or not?
Yeah.
You're getting negged but the data shows otherwise.
For those of you that are going to neg me, see my comment below.
I've helped two or three friends secure their credit because hospitals have lost their credit information in a breach. It's INSANE
I can see the loopholes and shortcuts from here. This will be abused.
Hopefully it doesn't end up like the rules around OT.
What? You mean the Cyber Threat Intelligence League, formerly known as the Justice League, isn't doing enough pro-bono work???
How about the federal government providing funds for cyber improvements instead of the funding just because
Isn’t this what HIPAA was supposed to do
HIPAA isn’t enforced. Complaints go to the office of civil rights and violators have to take a mandatory 1 hour hipaa class and are threatened with a fine. I filed two complaints in my life and I won’t ever file a third.
Institutions that have been fined disagree.
Hey I had that idea already
So I believe all this came from when Seattle got hacked there last year. The hackers are going after the patients now to press the hospital to handover the money or something like that
That's a start but my concern is that some hospitals or healthcare institutions will try to do the bare minimum to ensure they get the funding.
The other concern is the methodology of introducing AI in the healthcare space to ensure the security and integrity of the data they are pulling.
Sounds like job opportunities to me