The surge of cyberattacks on health systems underscores the need for them to reassess security controls constantly as they minimize the risk of hackers obtaining patient data through phishing scams and other data infiltration methods.
The federal office that administers HIPAA rules is shouldering more work in cybersecurity and will add “data and cybersecurity” to the name of its health information privacy division to reflect that work.
Hacking now accounts for 80% of large data breaches, the Health and Human Services Office for Civil Rights said when announcing the reorganization last month. The number of data breaches involving unsecured health data of 500 or more individuals jumped to more than 600 a year in 2020 and 2021—a trend the OCR said is continuing.
“Those attackers that try to deploy ransomware often focus on the health-care industry, just because health-care organizations do hold a lot of sensitive data about individuals, whether it’s demographic information, sensitive medical information, and of course, financial information,” Jennifer J. Hennessy, a data privacy and cybersecurity attorney, with Foley & Lardner LLP, said.
A ransomware cyberattack on Regal Medical Group that exposed more than 3.3 million patients has prompted nearly a dozen proposed class action lawsuits.
More Online Data, More Bad Actors
The increase in hacking in part reflects the greater digitization of health data—a welcome change for an industry that relied on paper records and fax machines well into the 21st century. As more data moves online, it becomes easier for health systems to talk to one another and exchange information. But it can create more opportunities for nefarious actors to try and infiltrate those systems and communications.
“Each year, our systems get more complicated. And so our attack surface gets broader,” William “Bill” Dougherty, information security officer for the virtual, integrated chronic care provider Omada Health, said.
Companies also improved their ability at flagging and reporting breaches over the years, which also will lead to an increase in the number of breach reports, Dougherty said.
“People are being more careful. But at the same time, the criminals are ever more sophisticated,” Lucia Savage, Omada’s chief privacy and regulatory officer, said.
Many of those attempted hacks come from state-sponsored entities, said Savage, who prior to joining Omada was the chief privacy officer at the HHS’ Office of the National Coordinator for Health IT (ONC).
“We have a very volatile planet right now,” Savage said, noting the Russian invasion of Ukraine and the tensions between China and the US. “All of that kind of fosters the state-sponsored cyberterrorism piece of it, which is very, very hard for any business to grapple with, unless they’re very closely aligned with our national security infrastructure.”
Phishing emails are one of the main avenues for cyberattacks.
“You have to train your people to recognize a phishing email,” Savage said. “That’s how people get in. It’s not because it’s a brute force, I broke the encryption. It’s because they snuck some software code in because you clicked on a phishing link.”
Two-factor authentication is one tool that can address security holes “in a fairly easy fashion,” Greg Garcia, executive director for cybersecurity of the Health Sector Coordinating Council, said. The council is a convening organization of about 375 health companies from medical products to payers that are working with the HHS to address ongoing cyberthreats.
“HHS and we are trying to discover: What does a more robust cyber risk management program look like for the industry that we can be held accountable to?” Garcia said.
However, any move to make these security measures mandatory must take resources into account, Garcia said.
A small, rural critical access hospital may have a hard enough time hiring a nurse, or buying a new medical device, “let alone being told by the government that here are all of the new cybersecurity controls and technologies you have to invest in to be compliant,” Garcia said.
Call for Coordinated Strategy
The National Cybersecurity Strategy released by the White House earlier this month calls for a “more coordinated, and more well-resourced approach to cyber defense.”
Under the HHS security rule, entities subject to the Health Insurance Portability and Accountability Act must apply administrative, physical and technical safeguards to its protected health information.
Kirk J. Nahra, co-chair of WilmerHale’s cybersecurity and and privacy practice, said it’s important to conduct risk assessments routinely and any time a new development warrants it.
When ransomware first became a known risk, “I don’t think it would have been the right decision generally just say, ‘Oh, we just did our risk assessment last month, we didn’t know about ransomware. Now we know about it, but we’ll wait for another year to think about,’” Nahra said. “So you adjust both when developments require adjustment, and you adjust on some regular case. And that makes sense to me.”
The HIPAA security rule is “actually a very effective rule for making people continually update based on what’s changing, technologically, societally, changing with your business.” Nahra said.
But addressing cybersecurity in health extends beyond HIPAA, Garcia said. There’s the ONC, and the Food and Drug Administration’s oversight of medical device security, the Centers for Medicare & Medicaid Services, and accrediting bodies.
“There are there are these various operational divisions in HHS that touch cybersecurity in some way. And it’s important for a large sprawling agency like HHS to identify where are those various regulatory touch points on cybersecurity and make sure it’s coordinated,” Garcia said.
René Quashie, vice president of digital health for the Consumer Technology Association, said the biggest risks lie with data that falls outside of HIPAA’s jurisdiction, such as companies that store and exchange health data but don’t qualify as HIPAA-covered entitites.
“You’ve got this sort of huge gray area that exists for entities that are not covered under HIPAA, but who nevertheless, may collect, share and use health data,” Quashie said.
CTA is advocating for a federal privacy law that would preempt all state laws and wouldn’t allow for private right of action.
“HIPAA has done a very good job. But given how health care has changed, HIPAA is not enough,” Quashie said.
To contact the reporter on this story:
To contact the editor responsible for this story: