On Sept. 26 the United States Government Accountability Office publicly released its report to the Committee on Health, Education, Labor, and Pensions of the U.S. Senate, ELECTRONIC HEALTH INFORMATION: HHS Needs to Strengthen Security and Privacy Guidance and Oversight (GAO-16-771). In its report, the GAO brought to light that the magnitude of breaches in the healthcare sector, due to targeted and untargeted attacks, has grown significantly during the past several years with over 113 million health records breached in 2015. This number only takes into account the number of breaches reported breaches affecting 500 individuals or more.
For those of us that are in the healthcare information security field, the news about the healthcare sector being more frequently targeted than other sectors, according to the GAO report, is not new news. We live this reality daily and it is a challenge we have to contend with. The GAO report also explains the vast array of threat actors that we have to contend with: organized crime, nation state actors engaged in espionage, and malicious insider threat actors within healthcare organizations.
Cybersecurity is not an easy endeavor for any of us—and we know that we, as a sector, are under siege. There is no question—we are bleeding data and potentially putting patients in harm’s way by risking patient safety.
The GAO report calls on the U.S. Department of Health and Human Services to issue more guidance to help us improve our security posture within the healthcare sector. It also calls on HHS to ensure that its guidance is in alignment with the NIST Cybersecurity Framework (Framework).
The Framework itself does set forth valid processes for reducing cybersecurity risk with its core functions of identify, detect, protect, respond, and recover from incidents. But, the Framework is still high-level, and it does not convey the know-how necessary for a healthcare organization to implement the Framework—especially one which may not have adequate or experienced cybersecurity personnel or resources to implement the same. Additionally, there appears to be a lack of use cases or other studies that would lend support to the notion that the Framework is an effective solution for reducing cybersecurity risk—at least, as written (without supplementing more details on the “how” and the “why”).
To be clear, the Framework could be tailored to healthcare—but, it needs to have more substance. Indeed, the level of voluntary adoption of the Framework seems to be relatively low in the healthcare sector, at the time of this writing. Healthcare is indeed unique when it comes to cybersecurity—safeguarding information must be carefully balanced against the need for access to mission critical patient information (after all, there may be an exigent need for such information).
The GAO report also highlights another struggle that healthcare organizations have had with HIPAA compliance—many healthcare organizations do not know if they are in compliance with the HIPAA regulations. To this end, additional guidance from the Office for Civil Rights at HHS has been helpful—such as the FACT SHEET: RANSOMWARE AND HIPAA guidance. Healthcare organizations now have more clarity in terms of how to assess and manage risks involving malware, such as ransomware, and when (and if) to report a breach.
But, still, the HIPAA regulations are vast and complex—reading these regulations multiple times may not enhance one’s understanding of how to comply. Rather, it is the role of legal counsel to provide salient advice to the healthcare organization, in terms of what the HIPAA requirements are and whether or not the organization is in compliance. And, it is the role of qualified cybersecurity personnel to provide counsel on how to conduct an accurate and thorough risk assessment and how to manage these risks. There is no shortcut or substitution—rather, healthcare organizations—covered entities and business associates alike—must fend for themselves and obtain the necessary assistance to make sure that they are complying with HIPAA and implementing a robust security program.
Guidance serves its purpose by helping to lead the way or provide helpful pointers—but it cannot “do” the necessary work to ensure compliance or robust security for healthcare organizations. We, as a healthcare sector must do better by being more proactive about cybersecurity. After all, patient lives (and their data) are very much on the line.