Cybersecurity in the Healthcare Industry
Anyone looking for a case study illustrating the speed of the evolving cyber threat need look no further than healthcare. The COVID-19 pandemic and rampant ransomware attacks shone a light on the cybersecurity threats facing the healthcare sector, as cybercriminals capitalized on the financial gain from stealing financial data and healthcare research. Despite being one of the first and most heavily regulated sectors for cybersecurity, the healthcare sector has remained one of the weakest sectors for cybersecurity. This chapter emphasizes that cybersecurity is a critical component of modern healthcare, and cybersecurity can pose additional risk to patients. This chapter recommends that cybersecurity investments be reclassified as an element of patient care within the medical loss ratio. It also calls for reduced regulation and increased incentives. For example, Meaningful Use requirements should be reduced or foregone entirely to allow for investment and use of health information exchanges to increase secure interoperability in the healthcare field. An incentive-focused regulatory approach would encourage more companies in the healthcare industry to make the investments necessary to protect information assets. With the right incentives, we drive good information security behavior today and continual good behavior going forward.
WHAT MAKES THE HEALTHCARE SECTOR UNIQUE
Patient data are uniquely valuable to criminals. The cost of purchasing stolen patient records on the cyber black market is approximately ten times the cost of purchasing that same individual’s stolen credit-card data and includes all data elements necessary to impersonate the victim. Hackers further monetize health records by compromising weaknesses in the healthcare system, billing fraudulent claims to Medicaid and Medicare, potentially prescribing narcotics, and even filing fraudulent tax returns.
Perhaps the most interesting evolution in the cyber threat facing healthcare industry is the rise of the nation-state threat. Governments of other countries direct their cyber warriors to hack into hospitals and health insurers to steal medical records. It’s likely that nation-state actors are stealing patient data to build databases on American citizens for espionage activities.
Insider threats are particularly insidious in the healthcare sector. Healthcare data processors say malicious insiders account for just about 10 percent of data breaches but are the root cause of double the percentage of medical-identity thefts. Accidental insiders cause more, albeit smaller, breaches.
The number of individuals who have access to data during a healthcare transaction represents another point of vulnerability. Even a routine visit to the doctor exposes medical data to a dozen people or organizations as diagnostic and billing information makes its way through various systems. Each hand represents another potential point of vulnerability or attack.
CHALLENGES FACING THE NEW ADMINISTRATION
Two major laws governing healthcare cybersecurity practices are not functioning as intended. The massive 2013 omnibus rule updating HIPAA, mandated by the HITECH Act, has failed to have the desired effect of making the healthcare industry more secure. In the years since its implementation, massive health-payer data breaches have occurred.
Moreover, the regulations take a retributive approach to cybersecurity, punishing organizations that get breached. Breaches spawn audits, and audits spawn punitive outcomes in the forms of substantial fines and other penalties, regardless of how much time and money was put into trying to prevent a breach.
The cost of security is a great obstacle for healthcare organizations. Large organizations have the ability to fund teams dedicated to both implementation of security best practices and regulatory compliance. Small practices have minimal resources. While all organizations must abide by the same rules and regulations, not all have equivalent access to the financial resources and expertise necessary to comply. The high cost of compliance, and the higher cost of failure, further exacerbates the problem.
The doctor-patient relationship is unique—patients are unlikely to abandon their medical provider over a data breach, so there is little incentive beyond regulatory consequences to spend time and effort defending against potential breaches.
The proliferation of technology in healthcare is another obstacle. Like most disruptive technologies, the uses for mobile-enabled practice management systems multiplied long before any serious thought was given to securing the technology.
Escalating ransomware attacks on the healthcare industry creates another challenge. For now, ransomware attacks appear unconnected to data theft. But given the real value of patient data—in its theft for exploitation or resale—ransomware attacks will become the nasty second jab of what really are one-two punch attacks.
Possible cyber-terrorist attacks against newly networked medical devices coming onto the market could cause significant disruptions, some even fatal. Life-sustaining devices once isolated away from public networks are now exposed to them. Medical equipment is now part of the mix of databases and hard drives once thought impervious to hackers.
There’s also a lack of urgency within the healthcare industry. The idea that medical data had value to criminals is novel, and it took significant healthcare data breaches to convince the industry to get serious about committing resources to secure itself against cyberattacks.
RECOMMENDATIONS
INCENTIVIZE HEALTHCARE TO IMPLEMENT BEST CYBERSECURITY PRACTICES
Healthcare needs a shift in focus away from prescriptive regulation toward regulation that encourages security best practices. An incentive-focused regulatory approach would encourage more healthcare companies to invest in necessary protections to information assets, possibly even driving broad adoption of controls necessary to solve the aforementioned data problems. What’s needed is a sliding scale of liability protection on the basis of company’s progress toward implementing an objective set of practices. The NIST Cybersecurity Framework, and the process used to develop it, could provide a good starting point for determining those practices.
The system should allow a company to accrue credits tied to its investments in security that it could use against future audits and fines in the event of a breach. This could be taken further by also offering modest tax incentives for certain high-value, but often-overlooked, security best practices, such as employee awareness training.
REDUCE REGULATORY COMPLEXITY
Congress should pursue legislation that harmonizes privacy, security, and information-risk-management requirements to eliminate the complex patchwork of regulations. Streamlining HIPAA audit requirements put into place by the HITECH Act. Audits drain resources from security budgets. Passing an audit, combined with proof of ongoing investment into cybersecurity, should result in a less strenuous audit the next time around—a HIPAA-Lite version, as it were—or increased time interval between audits.
REPLACE SOCIAL SECURITY NUMBERS AS A PATIENT IDENTIFIER
Congress should remove language placed annually in federal spending bills that prohibits the Department of Health and Human Services from using any federal funds to promulgate or adopt any such standard. Technology has provided for alternatives to a numeric or alphanumeric identifier as a solution, and the government does not need to be the arbiter of the identification solution.
USE SECURITY AS A FACTOR OF REIMBURSEMENT
Congress should allow the Centers for Medicare and Medicaid to use security as a factor in reimbursement. Similarly, improving an organization’s cybersecurity readiness should be considered a recognized activity under the clinical practice improvement performance category under the Medicare Access and CHIP Reauthorization Act Merit-based Incentive Payment System reimbursement scheme.