NIST Assigns Highest Risk Level to New Cyber Risk: BASH aka Shellshock

September 26, 2014October 9, 2014 Kathie McDonald-McClure Privacy & Security BASH aka Shellshock flaw, cyber risks and cyber crime, Health Information Technology, privacy and security of protected health information

On Wednesday, September 24, 2014, news broke about a newly discovered cyber security threat referred to as the BASH flaw or Shellshock. By Thursday, September 25, 2014, cyber security experts were confirming the cyber vulnerability threat for users of UNIX and Linux based systems, including MAC IO X. The National Institute of Standards & Technology (NIST) has rated the BASH flaw a 10 out of 10 on its vulnerability severity scale. Click here for the NIST alert.

Devices containing the BASH flaw may include millions of stand-alone Web servers and Internet-connected devices. HITRUST issued an alert to healthcare providers urging them to take appropriate steps to safeguard their systems. The HITRUST alert states, in part:

“The HITRUST Cyber Threat Intelligence and Incident Coordination Center (C3) has been tracking and reporting on the Remote Code Execution Vulnerability Discovered in Bash on UNIX-based Operating Systems (OS). HITRUST C3 is issuing this alert to ensure healthcare organizations are appropriately informed and taking steps to safeguard their systems and have sufficient information to communicate the background and implications to others in their organizations. HITRUST C3 – Healthcare Sector Cyber Threat Report HI255-14.”

According to Fierce HealthHIT: “The vulnerability happens when Bash is starting up; and it could allow a hacker to create a malicious code that would allow them to gain control of a compromised server.” HITRUST and many other cyber experts are stating that the BASH Shellshock bug is worse than Heartbleed, which was the flaw discovered in the widely used website encryption code, OpenSSL, an issue on which we reported in April 2014. The BASH flaw reportedly allows a hacker to completely take over a computer or server.

This is one of the more complicated cyber risk flaws to try to explain to the public, but this chap from UK has produced a 4-minute You Tube video trying to do just that. We are not vouching for the accuracy of this video (especially given that we are not computer scientists), but we can recommend following his advice at the very end of the video: “Make sure you keep your computers and any servers you run up to date with security patches and security fixes.” If you want a more technical description of BASH, see the article published by Troy Hunt, Software architect and Microsoft MVP, on his blog at troyhunt.com or click here.

KHIE issues June Newsletter

June 17, 2014 Kathie McDonald-McClure EHR Certification Standards, Electronic Health Records, Eligible Professional Incentives, Health Information Technology, HITECH Law, Hospital EHR Incentives linkedin, meaningful use of certified EHR, Medicare reimbursement reductions

The Kentucky Health Information Exchange (KHIE) has issued its June 2014 Newsletter, The KHIE Connection. This month’s issue includes a summary of the Centers for Medicare and Medicaid Services (CMS) Notice of Proposed Rule Making (NPRM) that, if finalized, would allow providers to meet Stage 1 or Stage 2 Meaningful Use with electronic health records (EHRs) that are certified to HHS ONC’s 2011 or 2014 Edition criteria or a combination of both Editions. Comments to the NPRM must be received by July 21, 2014. The newsletter also addresses Medicare’s scheduled payment adjustments for 2015 that will impact eligible hospitals and providers who do not timelyattest to Meaningful Use of certified EHRs. Guidance on attesting to Meaningful Use also is included.

Healthcare CIOs Face Cyber Risk: Internet Explorer Gives Hackers Total Access (Microsoft Issues Patch)

April 29, 2014May 1, 2014 Kathie McDonald-McClure Electronic Health Records, Federal Law Resources, Health Information Technology HIPAA Security Rule, IE's zero-day threat, Internet Explorer Cyber Security Vulnerability, Microsoft Security Advisory for IE patch

Updated May 1, 2014 at 5:30 pm

The old weather proverb about March, in like a lion and out like a lamb, hit April in the reverse in the world of cyber security. While the first six days of April seemed relatively calm in the cyber world, on Monday, April 7, 2014, the Heartbleed flaw in encryption security was announced (see our previous post here). As of April 26, 2014, the month was still roaring like a lion with yet another newly discovered cyber security threat to Internet Explorer (IE), first announced by FireEye Research Labs. Microsoft quickly confirmed the flaw on its Security TechCenter webpage. Today, May 1, 2014, Microsoft released a critical security update announcing a patch for all versions of Microsoft IE, including XP, which have the vulnerable flaw. This patch, which fixes the vulnerability discussed further in this article, should be immediately installed.

IE’s Vulnerability Dubbed “Operation Clandestine Fox.” FireEye named the flaw “Operation Clandestine Fox” for a couple of reasons. One is that hackers are already exploiting the vulnerability in an active “campaign.” Further, FireEye said the exploits are “clandestine” because the hackers lure computer users to malicious web code, like a “fox” who lures prey to a watering hole and then moves in for the kill.

With the IE vulnerability, the hacker can use Adobe Flash content, a popular website or an email to bait the computer user to click on malicious HTML code. This allows the hacker to download the malicious software to the user’s computer. Once downloaded, the hacker gains access to the user’s computer and can then gather the information needed to access other programs and networks accessed by the user. Such access can include otherwise secure servers, databases and networks. The risk has been perceived as sufficiently significant to prompt the U.S. Department of Homeland Security to issue a security advisory to its CERT Vulnerability Alerts Database webpage. Microsoft and Homeland Security are updating their advisories almost daily, requiring daily, if not hourly, vigilance on the part of Chief Information Officers (CIOs) in developing a responsive action plan.

HIPAA Security Rule Compliance: Develop An Action Plan. CIOs should immediately assess newly identified cyber security vulnerabilities posed to its networks and develop an action plan to address them. The risk assessment should include an evaluation of how confidential electronic data is accessed by others such as employees, medical staff, patients, and third-party vendors. Ensuring security is especially critical for those who can remotely access your organization’s electronic health record system. Continue reading →

Stage 2 “Meaningful Use”: Counting Patients Who Access Their Online Information Before Discharge

April 21, 2014April 21, 2014 Kathie McDonald-McClure Electronic Health Records, Health Information Technology, HITECH Law, Hospital EHR Incentives, Meaningful Use Stage 2 Meaningful Use Core Measure Patient Onlin Access

Under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act), eligible hospitals and critical access hospitals must make a “meaningful use” of “certified electronic health technology” or face reductions in Medicare reimbursement during Medicare’s 2015 fiscal year (which begins October 1, 2014). One of the many Stage 2 requirements includes the following one related to patient on-line access to health records:

Accessing Online Health Records — *MU Measure Requires 5% of Discharged Patients to Access Health Information Online*

Meaningful Use Core Measures, Measure 6 of 16

“More than 5 percent of all unique patients (or their authorized representatives) who are discharged from the inpatient or emergency department (POS 21 or 23) of an eligible hospital or CAH [must] view, download or transmit to a third party their [online] information during the EHR reporting period.” (Emphasis added.)

A literal reading of this measure prompted hospitals to frequently ask whether a patient who accesses their online health information before they are “discharged” will count towards this meaningful use objective. The Centers for Medicare and Medicaid Services (CMS) posted an answer to this question that we like and think hospitals will like as well. CMS says “yes”. Continue reading →

Healthcare CIOs: Check for vulnerability of OpenSSL servers to Heartbleed

April 10, 2014April 14, 2014 Kathie McDonald-McClure Electronic Health Records, Federal Law Resources, Health Information Technology, HITECH Law cyber risks and cyber crime, Heartbleed bug in OpenSSL, Heartbleed cyber risk for HIT, HIPAA security risk assessment, Securing protected health information from risks of Heartbleed, website encryption

Updated April 13, 2014 at 6:30 pm

CYBER RISK ALERT! Just when we thought we were safe online while using websites that display the key security “https” in the URL, we learn that nothing could be further from reality. On April 7, 2014, security researchers at Codenomicon announced the discovery of a flaw in the OpenSSL (security socket layer) that is used in an estimated two-thirds of the servers that support websites displaying the “https” letters that we have come to trust. Based on the back-end technology of OpenSSL, which involves what is called a “heartbeat” extension and a leakage of data from the server, this new cyber liability threat has been dubbed Heartbleed.

Vulnerability of HIT and Compliance with HIPAA. Although the OpenSSL flaw’s name has no direct connection to health information technology (HIT), it ironically could be a pain for health care providers. Continue reading →

A legal blog about consumer privacy and data security in a high-tech world

Author: Kathie McDonald-McClure