Time for Top-Down Approach to Healthcare Cyber Security

When it comes to cyber security, healthcare organizations can no longer afford to merely treat it as a technical problem that can be left to a few specialists.

The growing spectrum of cyber threats—and the attendant risks to care delivery, patient safety, and the business of healthcare—cannot be mitigated by the efforts of cyber experts alone. Instead, healthcare leaders need to get everyone involved, from the board of directors to medical and support staff.

As discussed in an earlier blog post, the growing sophistication of cyber threats (as detailed in Symantec’s 2018 Internet Security Threat Report) coincides with the growing complexity of the health IT environment—leaving healthcare organizations trying to defend a broader attack surface against a growing range of threats. To make matters worse, malicious actors appear to find healthcare organizations to be especially attractive targets, as noted in the Symantec Executive Summary for Healthcare Professionals.

The first step in mitigating these threats is understanding them and their potential impact on the delivery of care and the business of healthcare, and that begins with the board of directors and hospital administrators.

The American Bar Association points out that cyber security is a legal liability that comes with potentially significant financial risk. For example, failure to comply with the Privacy and Security Rules under the Health Insurance Portability and Accountability Act (HIPAA) can cost an organization up to $1.5 million per year for each violation and where, to make matters worse, a single incident can be considered as being caused by multiple violations – meaning, the fine may be a multiple of that. Case in point: In June 2018, a judge ordered a Texas cancer center to pay $4.3 million in penalties for HIPAA violations.

But liability is just one concern. A significant cyber event can come with other risks, including the impact on clinical operations and patient safety and the damage to an organization’s reputation, according to a 2017 report by McClain and Canoy, a law firm specializing in health issues. With all that in mind, it’s in the board’s best interest to ensure that an organization has the resources it needs to minimize exposure to cyber risks.

“A company’s budget typically illustrates its values,” the report states. “Companies should allocate sufficient financial resources to cyber security through salaries, consulting budgets and technology upgrades to enable the compliance team to effectively execute the necessary compliance plan.”

But healthcare leaders also need to recognize that for many people—themselves included—cyber security requires continual learning and adoption of one’s strategy. For example, because of the focus on HIPAA, it’s easy to conflate cyber security with data privacy. But as the American Hospital Association (AHA) points out, cyber security encompasses so much more—not just protecting the data but also identifying and mitigating vulnerabilities throughout a hospital’s information network. With that in mind, AHA has developed cyber security training for hospital leaders.

Further, HHS recognizes that cyber attacks are increasing and more dangerous than they have ever been and that regulations can not possibly anticipate all changes in the threat landscape or changes in technology in a prescriptive way. For example, mobile devices, cloud storage or social media did not exist when the HIPAA Security Rule was published in 2003. Therefore, HHS has clarified in 2016 that “the Security Rule simply establishes a floor, or minimum requirements, for the security of ePHI; entities are permitted (and encouraged) to implement additional and/or more stringent security measures above what they determine to be required by Security Rule standards.”

Health IT and cyber leaders have a role to play in this as well. Like specialists in many fields, cyber experts tend to speak their own language, which non-specialists might find incomprehensible. But to get the resources and support they need, they must learn to explain in clear and compelling terms about cyber risks and priorities as it is appropriate for their audience. For example, a business leader should be concerned about and receive information pertaining to the business risks whereas clinical decision makers should be focusing on potential impact to care delivery and patient safety.

This concern was also expressed by the Health Care Industry Cyber Security Task Force, which was formed by the Department of Health and Human Services (HHS). In its June 2017 report, the task force recommended that the industry’s various professional associations develop materials to help cyber leaders communicate more effectively with their leadership.

But healthcare organizations also need to consider training for its broader workforce. The HHS Office for Civil Rights (OCR), which oversees compliance issues, points out that an organization’s workforce is on its frontline when it comes to ensuring the privacy and security of protected health information (PHI).

In a June 2017 article, OCR states that the number of providers and health plans involved in security-related HIPAA violations or cyber security attacks affecting PHI had increased 10 percent over two years. In fact, as discussed in the Executive Summary for Healthcare Professionals, looking at long-term trends since 2010 (per the OCR breach portal web site), we have typically seen the number of reported breaches increase by 10 percent per year.

“This increase in HIPAA violations includes breaches due to ransomware events, such as WannaCry, and other cyber attacks which could have been prevented by an informed workforce trained to detect and properly respond to them,” according to OCR.

Clearly, everyone in a healthcare organization is a stakeholder with a vested interest in strengthening cyber security—and a vital role in making that happen. Health leaders looking to respond to the growing spectrum of cyber threats need to ensure that their cyber experts are not fighting this battle alone and do so having the backing of the larger organization.

If you found this information useful, you may also enjoy:

• Symantec’s 2018 Internet Security Threat Report

• Cyber Security and Healthcare: An Evolving Understanding of Risk