The HHS Office for Civil Rights (OCR) will implement the HIPAA Privacy Rule to Support Reproductive Healthcare Privacy on December 23, 2024, in response to the Supreme Court's 2022 decision in Dobbs v. Jackson Women's Health Organization. This rule intends to enhance privacy protections for reproductive healthcare by preventing HIPAA-covered entities from disclosing protected health information (PHI) in scenarios where it could assist law enforcement or other entities in investigating individuals for lawful reproductive healthcare. To comply, these entities must require an attestation from requesters, confirming that their intended use of the information does not involve prohibited purposes, particularly in health oversight, judicial proceedings, or law enforcement.

New HIPAA Rule Enhances Reproductive Healthcare Privacy Amid Legal Changes HIPAA Journal

Cybersecurity experts warn that organizations face increased risks when their security teams are reduced during holidays or vacations, as attackers often exploit these times to target corporate communication platforms and impersonate trusted colleagues. This vulnerability is exacerbated by junior staff being less acquainted with security protocols and the challenges of maintaining service-level agreements. Notable incidents, such as the Log4j vulnerability discovery during a holiday, highlight the importance of timely responses and operational safeguards. To mitigate these risks, organizations should develop detailed staffing plans, train employees on verification methods for urgent requests, and consider automation and restrictions on changes to critical systems during low-resource periods.

Cybersecurity Risks Surge as Teams Thin Out During Holidays Dark Reading

Ascension, a major U.S. healthcare system, reported a data breach affecting around 5.6 million patients and employees due to a ransomware attack attributed to the Black Basta group. The attack, which occurred in May, compromised sensitive personal and health information, prompting Ascension to notify affected individuals and offer two years of free identity theft protection. The breach, linked to an employee's accidental download of malware, disrupted their MyChart electronic health records system, while Ascension has initiated investigations and notified law enforcement agencies.

Major Ransomware Attack Exposes Data of 5.6 Million Ascension Patients BleepingComputer

The U.S. Department of Health and Human Services (HHS) has issued a warning for healthcare organizations to improve the cybersecurity of operational technology (OT) and Internet of Medical Things (IoMT) devices, which are increasingly targeted by cybercriminals. The advisory highlights that while regulatory focus has been on medical devices, other connected systems such as HVAC and elevators also present security risks due to outdated software and insufficient cybersecurity measures. HHS notes that many of these devices lack vendor support and operate in environments that hinder necessary updates, making them vulnerable to attacks that could compromise patient safety and sensitive data. Recent analyses indicate that both targeted and non-targeted attacks exploit these vulnerabilities, raising concerns about the potential for ransomware incidents involving OT and IoMT devices.

HHS Urges Healthcare Sector to Bolster Cybersecurity for Medical Devices BankInfoSecurity

The HHS Office for Civil Rights (OCR) will implement the HIPAA Privacy Rule to Support Reproductive Healthcare Privacy on December 23, 2024, in response to the Supreme Court's 2022 decision in Dobbs v. Jackson Women's Health Organization. This rule intends to enhance privacy protections for reproductive healthcare by preventing HIPAA-covered entities from disclosing protected health information (PHI) in scenarios where it could assist law enforcement or other entities in investigating individuals for lawful reproductive healthcare. To comply, these entities must require an attestation from requesters, confirming that their intended use of the information does not involve prohibited purposes, particularly in health oversight, judicial proceedings, or law enforcement.

New HIPAA Rule Enhances Reproductive Healthcare Privacy Amid Legal Changes HIPAA Journal

Cybersecurity experts warn that organizations face increased risks when their security teams are reduced during holidays or vacations, as attackers often exploit these times to target corporate communication platforms and impersonate trusted colleagues. This vulnerability is exacerbated by junior staff being less acquainted with security protocols and the challenges of maintaining service-level agreements. Notable incidents, such as the Log4j vulnerability discovery during a holiday, highlight the importance of timely responses and operational safeguards. To mitigate these risks, organizations should develop detailed staffing plans, train employees on verification methods for urgent requests, and consider automation and restrictions on changes to critical systems during low-resource periods.

Cybersecurity Risks Surge as Teams Thin Out During Holidays Dark Reading

Ascension, a major U.S. healthcare system, reported a data breach affecting around 5.6 million patients and employees due to a ransomware attack attributed to the Black Basta group. The attack, which occurred in May, compromised sensitive personal and health information, prompting Ascension to notify affected individuals and offer two years of free identity theft protection. The breach, linked to an employee's accidental download of malware, disrupted their MyChart electronic health records system, while Ascension has initiated investigations and notified law enforcement agencies.

Major Ransomware Attack Exposes Data of 5.6 Million Ascension Patients BleepingComputer

The U.S. Department of Health and Human Services (HHS) has issued a warning for healthcare organizations to improve the cybersecurity of operational technology (OT) and Internet of Medical Things (IoMT) devices, which are increasingly targeted by cybercriminals. The advisory highlights that while regulatory focus has been on medical devices, other connected systems such as HVAC and elevators also present security risks due to outdated software and insufficient cybersecurity measures. HHS notes that many of these devices lack vendor support and operate in environments that hinder necessary updates, making them vulnerable to attacks that could compromise patient safety and sensitive data. Recent analyses indicate that both targeted and non-targeted attacks exploit these vulnerabilities, raising concerns about the potential for ransomware incidents involving OT and IoMT devices.

HHS Urges Healthcare Sector to Bolster Cybersecurity for Medical Devices BankInfoSecurity