| About the Authors Introduction: Why Healthcare Businesses Make Attractive Targets for Cyber Attacks |
|
|
|
|
|
|
Chapter 1 General Overview of Healthcare Cybersecurity Threats |
|
|
|
|
|
|
|
2 | (4) |
|
|
|
2 | (1) |
|
|
|
3 | (1) |
|
|
|
3 | (1) |
|
|
|
3 | (1) |
|
E Denial of Service Attacks |
|
|
4 | (1) |
|
F Trojans and Other Malware |
|
|
4 | (1) |
|
|
|
5 | (1) |
|
|
|
5 | (1) |
|
|
|
5 | (1) |
|
|
|
6 | (4) |
|
A Insider Access Is Dangerous |
|
|
6 | (1) |
|
B The False Hope of Strong Perimeters |
|
|
6 | (1) |
|
C The Challenge of Frequent Visitors |
|
|
7 | (1) |
|
D The Costs of Local Hosting |
|
|
7 | (1) |
|
E The Worry of Shared Hardware |
|
|
7 | (1) |
|
F The Challenge of Backups |
|
|
8 | (1) |
|
G Strange and Unclear Motives |
|
|
8 | (1) |
|
H Uncertain Value of Leaked Data |
|
|
9 | (1) |
|
|
|
9 | (1) |
|
J Sandboxes Limit Innovation |
|
|
10 | (1) |
|
III Conclusion: Is Healthcare Special? h |
|
|
10 | (1) |
|
Chapter 2 Ransomware in the Healthcare Industry |
|
|
|
|
|
|
|
|
|
11 | (1) |
|
II The Basics of Ransomware |
|
|
12 | (10) |
|
A The History of Ransomware |
|
|
12 | (2) |
|
B How Does Ransomware Infect Computers? |
|
|
14 | (3) |
|
C Ransomware as a Lucrative Crime |
|
|
17 | (1) |
|
D The Threat of Ransomware in the Healthcare Setting |
|
|
18 | (4) |
|
III The Existing Legal Framework for Ransomware Attacks |
|
|
22 | (4) |
|
A The Health Insurance Portability and Accountability Act |
|
|
22 | (3) |
|
|
|
25 | (1) |
|
IV Preventing and Managing a Ransomware Attack |
|
|
26 | (10) |
|
A Preventing a Ransomware Attack |
|
|
26 | (4) |
|
B Managing a Ransomware Attack |
|
|
30 | (2) |
|
C Negotiating with Ransomware Hackers |
|
|
32 | (4) |
|
V Alternative Future Solutions to the Ransomware Problem |
|
|
36 | (2) |
|
A Imposing a Tax on Ransomware Payments to Be Used for Anti-Hacking Efforts |
|
|
36 | (1) |
|
B Prohibiting Insurance Coverage for Ransomware Attacks |
|
|
37 | (1) |
|
C Requiring Healthcare Organizations to Pass Annual Cyber Inspections and Employ Cyber Guards |
|
|
38 | (1) |
|
|
|
38 | (1) |
|
Chapter 3 How to Prepare for and Respond to Cybersecurity Attacks |
|
|
|
|
|
|
|
I Cybersecurity and Compliance Requirements of Healthcare Entities |
|
|
39 | (7) |
|
A Focus on "Reasonable" Processes for Attack Prevention and Preparation Strategies |
|
|
40 | (2) |
|
B Identify PHI: Data Mapping, Data Purging, and Reasonable Safeguards |
|
|
42 | (1) |
|
C Assessing Cyber Risks: External, Internal, and Physical Safeguards |
|
|
43 | (1) |
|
D Developing an Incident Response Plan: Strategy and Planning |
|
|
44 | (2) |
|
II Incident Response Best Practices |
|
|
46 | (2) |
|
III Notification: Overview of Federal and State Reporting Requirements |
|
|
48 | (5) |
|
A HIPAA Breach of Unsecured PHI |
|
|
48 | (2) |
|
B Breach of Personally Identifiable Information under State Laws |
|
|
50 | (1) |
|
C Notifications to Individuals, Governmental Agencies, Credit Reporting Agencies, and Media |
|
|
50 | (1) |
|
D Breach Notifications: State Requirements |
|
|
51 | (1) |
|
E Special Cases: Minors, Deceased, Missing Contact Info (Substitute Notice) |
|
|
52 | (1) |
|
F Best Practices for Breach Notifications |
|
|
52 | (1) |
|
IV Cyber Extortion in Healthcare |
|
|
53 | (9) |
|
A Introduction to Cyber Extortion in Healthcare |
|
|
53 | (1) |
|
B Protecting Against Extortion: HIPAA and Breach Notification Requirements |
|
|
54 | (1) |
|
C Threat and Incident Response in Healthcare: Best Practices |
|
|
54 | (1) |
|
D Remediation: "Recover and Rebuild" vs. "Pay Ransom and Decrypt" |
|
|
55 | (3) |
|
|
|
58 | (4) |
|
Chapter 4 The Cost of Inadequate Security Measures: How Private Parties and Federal and State Regulators Seek Redress After a Health-Data Breach |
|
|
|
|
|
I OCR's Role in Enforcing HIPAA |
|
|
62 | (15) |
|
II Attorneys' General Enforcement of HIPAA |
|
|
77 | (3) |
|
III Private Plaintiffs' Indirect Enforcement of HIPAA |
|
|
80 | (4) |
|
|
|
84 | (5) |
|
A Risk Analysis (45 C.F.R. § 164.308(a)(1)(ii)(A)) and Risk Management (45 C.F.R. § 164.308(a)(l)(ii)(B)) |
|
|
84 | (1) |
|
B Information System Activity Review (45 C.F.R. § 164.308(a)(1)(ii)(D)) |
|
|
85 | (1) |
|
C Security Awareness and Training (45 C.F.R. § 164.308(a)(5)) |
|
|
85 | (1) |
|
D Security Incident Procedures (45 C.F.R. § 164.308(a)(6)) |
|
|
86 | (1) |
|
E Business Continuity/Contingency Plans (45 C.F.R. § 164.308(a)(7)) |
|
|
86 | (1) |
|
F Implementing Effective Access Controls (see 45 C.F.R. § 164.312(a)(1) (access control)) |
|
|
87 | (1) |
|
G Ensuring that Security Measures Remain Effective as Technology Changes and New Threats and Vulnerabilities Are Discovered (see 45 C.F.R. § 164.306(e) (maintenance)) |
|
|
87 | (2) |
|
Chapter 5 Risk Rx: Managing Privacy and Cybersecurity Risks |
|
|
|
|
|
|
|
I Risk Identification (The Diagnosis) |
|
|
89 | (2) |
|
II Risk Avoidance and Mitigation (Preventive Care and Treatment Options) |
|
|
91 | (3) |
|
|
|
92 | (1) |
|
|
|
92 | (1) |
|
C Technology and Related Practices |
|
|
93 | (1) |
|
|
|
94 | (1) |
|
E User Training and Restrictions |
|
|
94 | (1) |
|
III Risk Transfer (Insurance) |
|
|
94 | (8) |
|
|
|
96 | (2) |
|
|
|
98 | (1) |
|
C Fidelity and Crime Policies |
|
|
99 | (1) |
|
D Commercial General Liability Policies |
|
|
99 | (1) |
|
E Professional Liability/E&O |
|
|
100 | (1) |
|
F Directors and Officers (D&O) |
|
|
101 | (1) |
|
G Kidnap and Ransom/Cyber Extortion |
|
|
101 | (1) |
|
IV Conclusion (The Prescription) |
|
|
102 | (73) |
| Appendix A State Comprehensive-Privacy Law Comparison |
|
| Appendix B State Comprehensive-Privacy Law Comparison Map |
|
| Appendix C FTC Notice of Breach of Health Information |
|
| Appendix D HIPAA Enforcement Matters as of October 2020 |
|
| Index |
|
175 | |
