Question: We’ve been experiencing an increase in phishing and are aware of reports of ransomware events. Are there any resources available to keep us apprised of emerging threats so we can be in a more defensive position and comply with the HIPAA Security Rule? Ohio Subscriber Answer: Yes, there are a couple of handy online resources that offer the most up-to-the-minute advice on threats. One helpful site to look at is the National Vulnerability Database (NVD), which is maintained by the National Institute of Standards and Technology (NIST). “The NVD is the U.S. government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol (SCAP),” NIST explains. The NVD resources offer tips on managing and measuring vulnerabilities while alerting the public to known software flaws, misconfigurations, and cyber impacts. Heads up: As part of their policies and procedures, covered entities (CEs) and their business associates (BAs) must address known and possible vulnerabilities in their risk analysis, according to the HHS Office for Civil Rights (OCR) in the 2022 Cybersecurity Newsletter for the first quarter.
OCR explains that vulnerability “can exist in many parts of a regulated entity’s information technology infrastructure (e.g., server, desktop, and mobile device operating systems; application, database, and web software; router, firewall, and other device firmware).” OCR advises, “Often, known vulnerabilities can be mitigated by applying vendor patches or upgrading to a newer version. If a patch or upgrade is unavailable, vendors often suggest actions to take to mitigate a newly discovered vulnerability.” CISA: The Cybersecurity and Infrastructure Security Agency (CISA) also offers daily updates on a variety of issues — and includes industry-specific guidance. Plus, you can subscribe to CISA’s numerous alerts and bulletins on a plethora of topics. Other tools on the site include a dedicated Stop Ransomware page, cyber hygiene services, and regionally based cyber tools and resources. Resources: Visit the NVD resources at https://nvd.nist.gov and peruse the CISA site and guidance at www.cisa.gov.