Cybersecurity: Free juice is not worth the squeeze

© sasun Bughdaryan - stock.adobe.com

Two cybersecurity healthcare related items to consider when addressing compliance.

First, the U.S. Federal Bureau of Investigation (FBI) recently provided sage advice applicable to individuals and corporations alike – do not use public USB charging stations for electronic devices. “’Juice jacking’ from public USB charging ports in airports, malls and hotels could give hackers access to sensitive information.” Juice jacking is not new; rather the term has been around since 2011. The notion that public charging stations can deploy malware into unsuspecting users’ devices and hijack their data, underscores that the free “juice is not worth the squeeze.”

How can people abide by the guidance, while reducing their risk of a cyber-attack, including a ransomware attack, without taking up a lot of space in their carry-on? Purchase a small cube that plugs into the wall on one end and enables a USB cable to be connected on the other end. “Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software on devices” tweeted the FBI. In other words, “carry your own cord and use an electrical outlet instead.” This is definitely an item to include in corporate training, as well as policies and procedures.

The 21st Century Cures Act also has technical, administrative, and physical safeguard considerations because of its nexus to HIPAA, as well as the security exception to Information Blocking. On April 11, 2023, the U.S. Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) released a Notice of Proposed Rulemaking, which will be published in the Federal Register, to implement certain provisions of the 21st Century Cures Act and make numerous advancements to the ONC Health IT Certification Program. Some of the proposals include the following:

• Implementing the Electronic Health Record Reporting Program as a new Condition of Certification for developers of certified health information technology (health IT) under the Program.
• Modifying and expanding exceptions in the information blocking regulations to support information sharing.
• Revising several Certification Program certification criteria, including existing criteria for clinical decision support (CDS), patient demographics and observations, electronic case reporting, and application programming interfaces for patient and population services.
• Adopting the United States Core Data for Interoperability (USCDI) Version 3 as a standard within the Certification Program and establishing an expiration date for USCDI Version 1 as an adopted standard within the Certification Program.
• Updating standards and implementation specifications adopted under the Certification Program to advance interoperability, support enhanced health IT functionality, and reduce burden and costs.

“In collaboration with federal partners, including the Agency for Healthcare Research and Quality, Food and Drug Administration (FDA), HHS Office for Civil Rights, and U.S. Department of Veterans Affairs (VA), and the Federal Trade Commission (FTC), the ONC rule proposes new policies that, if finalized, would promote greater trust in the predictive decision support interventions (DSIs) used in healthcare. These proposals would help enable users to determine whether the predictive DSI is fair, appropriate, valid, effective, and safe, and enable market competition. Specifically, we sought alignment with the FDA’s recent guidance on CDS.” Public comment is open from April 18, 2023 for 60 days.

In sum, cybersecurity, cyber risk management, and government agency coordination is becoming more of a focal area. It is imperative that individuals and corporate entities take adequate precautions to minimize the risk of a breach.

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases.