Endpoint Security , Governance & Risk Management , Internet of Things Security

Regulator Offers Asset Management, Mobile App Advice

OCR Provides Guidance as Well as Enhanced Portal
Regulator Offers Asset Management, Mobile App Advice

Federal regulators are reminding healthcare organizations about the importance of accurate and timely IT asset inventory management to help reduce breach risk. In addition, regulators have beefed up a HIPAA guidance portal for mobile app developers.

See Also: Live Webinar | Securing Mobile Endpoints to Protect IP in the Pharma Industry

The new asset management guidance from the Department of Health and Human Service' Office for Civil Rights comes as the risks to connected devices grow. And the agency's enhanced portal for mobile app developers comes as the federal government pushes for the use of standards-based application programming interfaces to allow patients to access their electronic health records using smartphones and other mobile devices (see HHS Releases Final Data Sharing Rules).

Asset Management

In a cybersecurity newsletter, OCR notes that its HIPAA breach investigations "frequently find that organizations lack sufficient understanding of where all of the electronic health information is located."

Although the HIPAA Security Rule does not require it, creating and maintaining an up-to-date, information technology asset inventory serves is an important step toward enhancing security, OCR notes.

A complete and timely IT asset inventory can also assist "in the development of a comprehensive, enterprisewide risk analysis to help organizations understand all of the places that ePHI may be stored within their environment and improve their HIPAA compliance," OCR writes.

Connected Devices

While creating and maintaining an IT asset inventory can aid in identifying risks to ePHI, it's also important to track IT assets that may not store or process ePHI, OCR stresses.

"Assets within an organization that do not directly store or process ePHI may still present a method for intrusion into the IT system that could lead to risks to the confidentiality, integrity and availability of an organization's ePHI," OCR writes.

"For example, consider an internet of things or a smart, connected device that provides access to facilities for maintenance personnel for control and monitoring of an organization's heating, ventilation and air conditioning. ... Although it does not store or process ePHI, such a device can present serious risks to sensitive patient data in an organization's network."

Unpatched IoT devices with known vulnerabilities, such as weak or unchanged default passwords installed in a network without firewalls, network segmentation or other techniques to deny or impede an intruder's lateral movement, can provide an intruder with a foothold into an organization's IT network, OCR notes. "The intruder may then leverage this foothold to conduct reconnaissance and further penetrate an organization's network and potentially compromise ePHI."

Real-World Risks

Real-world examples of IoT devices used for malicious activities include "incidents reported by Microsoft in which malicious actors were able to compromise a VOIP phone, printer and video decoder to gain access to corporate networks," OCR points out.

"The hackers were able to exploit unchanged default passwords and unpatched security vulnerabilities to compromise these devices. Once inside the network, the hackers were able to conduct reconnaissance and access other devices on the corporate network in search of additional privileges and high-value data."

In a 2016 breach affecting more than 3 million individuals that did not involve systems containing ePHI, hackers compromised payment card processing systems at some Banner Health food and beverage outlets.

Mobile App Portal

On Wednesday, OCR announced an updated portal that serves as a repository for guidance material on when and how HIPAA regulations apply to mobile health applications.

"Building privacy and security protections into technology products enhances their value by providing some assurance to users that the information is secure and will be used and disclosed only as approved or expected," OCR notes on the updated portal site.

Among materials contained in the portal are frequently asked questions about how the HIPAA rules apply to apps and application programming interfaces.

The enhanced portal also includes previous OCR guidance on what federal laws and regulations might apply to app developers.

Concerns About Emerging Risks

The privacy and security of mobile health apps and APIs is becoming a hot topic in the healthcare sector. HHS' Office of the National Coordinator for Health IT in March issued a final rule - as called for under the 21st Century Cures Act - setting requirements for certified health IT developers to establish a secure, standards-based API for use by providers and to support a patient's access to core data in their electronic health record.

Some privacy and security experts note that giving patients easier access to their electronic health information through smartphones and other mobile applications creates potential risks.

"The push to openly provide access via these applications to healthcare records is a bit concerning from a security perspective," says Jarrett Kolthoff, CEO of SpearTip, a cyber counterintelligence firm.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing devicesecurity.io, you agree to our use of cookies.