July 20, 2022
Real-time Review of the Oklahoma State University Cybersecurity Breach
It seems there are daily reports of healthcare organizations that have become victim to a cyberattack. A best practice is to review Office for Civil Rights (OCR) findings to identify actions you can take to protect your organization from similar attacks. Here is a review of a breach at Oklahoma State university (OSU) to use as an example.
We understand that resources are tight, and you likely don’t have time to dissect every reported incident. On the other hand, you may say, “I not only have no time, but I wouldn’t even know where to start.”
Our chief security and engineering officer John Gomez has done the work for you by reviewing a real-life cyberattack (Oklahoma State University – Center for Health Sciences) and the OCR findings. This video provides a deep-dive review of the OCR findings so that you can do the following:
- Learn how to review and dissect future events to understand what you should do differently
- Understand the details of this breach and make some adjustments to your environment
Background of the Breach:
Oklahoma State University Center for Health Sciences (OSU-CHS) reported a breach of Protected Health Information (PHI) to the OCR on January 5, 2018 that impacted 279,865 individuals.
The Incident: An unauthorized third party gained access to a web server and uploaded malware – PHI was stored on this webserver. The first date the person accessed the server was on March 9, 2016. At the time of the incident, OSU-CHS was unaware that PHI was stored on the server.
OCR Findings: A fine of $875,000 was levied for OSU-CHS corrective actions that needed to happen within a defined period.
Things to Know:
- All breaches are listed on the OCR website (HHS.gov) and open to public view – this is an excellent place to review the incidents as we do in the video.
- OCR will not bring a civil suit against a hospital; however, OCR findings can lay the foundation for civil claims against you (as seen in other instances).
- Walking through the OCR findings can help you evaluate if you have holes in your cybersecurity plan. Now is the time to review your plans—don’t wait until you are a cyberattack victim.
Things to Consider:
- Know where your PHI is located – in this case, OSU-CHS did not know at the time of the incident that PHI was located on the compromised server.
- Action –inventory and document what systems are storing PHI.
- Understand your cyber liability insurance – in this example, it’s likely that cyber liability insurance would not apply. If HHS finds that your organization has many items to correct, it’s possible you attested to your cyber liability insurance company that you already did these things. Therefore, they likely won’t pay. There’s often language in the cyber liability insurance that states an organization “must adhere to cybersecurity best practices,” and insurance companies can use this as a catch-all to not honor claims.
- Review policies and procedures – you should do a quarterly review to determine if your policies are meeting current threats and best practices (OCR says annually, but it’s a best practice to do it quarterly.)
Corrective Action Plans:
In addition to OSU-CHS paying a hefty fine, they were also required to implement corrective actions.
Detailing corrective actions is a newer approach from OCR. Could this be a trend where they levy a minor fine but mandate corrective actions that need to occur within a defined period; otherwise, they could come back and levy more fines?
Here are some corrective actions that the OCR findings mandated for OSU-CHS. You can use these steps to check your cybersecurity program to ensure these items are in place:
- Conduct a risk analysis of systems with PHI; please see a word of caution about this below.
- Document a risk management plan to address and identify security threats.
- Develop, maintain, and revise written policies and procedures.
- Train employees on the policies and procedures that relate to their job function and ensure they understand them.
- Do not provide employees access to PHI that have not completed the training (again, it’s essential to know where your PHI is stored).
- All materials need to be provided to HHS so make sure you have all of them.
A word of caution: Don’t subscribe to “compliance island syndrome,” where you decide only to protect or assess systems that contain PHI. This is a bad idea from a security perspective because attackers can gain access to any part of your network and then access PHI. Even though OCR, in this case, only mandates that OSU-CHS do a risk assessment of systems with PHI, we recommend including all systems. A civil suit will look at your organization holistically, not just those systems with PHI.
Even if you have monitoring tools in place, but your policy and procedures are not being followed, employee training is not being conducted, and you are not paying attention to the current threat landscape, you could easily be in the same position as OSU-CHS. There is a lot more detail in this 30-minute video, which reviews the OCR findings from the HHS website.
CloudWave’s Sensato Cybersecurity-as-a-Service (CaaS) makes compliance, detection, and response easier for you. We take the burden off your teams and provide policies and procedures, risk assessments, and complete network detection, including 24×7 eyes-on-glass. Learn more here.
Contact us firstname.lastname@example.org for more information.
Laura Pursley is the marketing director at CloudWave.