The U.S. Department of Health and Human Services on Friday released the four-volume voluntary guidance for healthcare organizations titled “Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients.”
WHY IT MATTERS
Mandated under the Cybersecurity Act of 2015, the HCIP report was developed by a task force of more than 150 cybersecurity and healthcare experts.
HHS said protecting against cyberattacks is like fighting a deadly virus. It takes mobilization and coordination of resources across myriad public and private stakeholders, including hospitals, IT vendors, medical device manufacturers, and governments to minimize risks and impact.
What’s more, the average cost of a data breach per healthcare organization is $2.2 million, according to the HHS report.
Erik Decker, industry co-lead on the publication and chief information security and privacy officer for the University of Chicago Medicine said the healthcare industry is “truly a varied digital ecosystem.”
According to Decker, the HHS task force “heard loud and clear through this process that providers need actionable and practical advice, tailored to their needs, to manage modern cyber threats.” That’s why authors of the report included recommendations for the c-suite, as well as for IT experts.
HHS officials said that cybersecurity remains a top priority for the agency and stressed the importance of private-public partnerships — like the one used to write HICP — to protect critical infrastructure. In the coming months, HHS will work to raise awareness of the publication and to implement the suggested cybersecurity practices across the healthcare industry, officials said.
The report listed the five most relevant and current threats to the industry as phishing, ransomware, loss or theft of equipment or data, insider accidental data loss, and attacks against digital health tools.
THE BIGGER TREND
During October we ran a special series on cybersecurity and discovered that weaponized malware, hackers holding data hostage, social engineering and spearphishing campaigns were just a few of the attacks common today.
Hospitals have the devastating task of trying to guard against the next big threat – not knowing when it will come or what it will look like. Security dashboards can be invaluable. They can showcase everything a CIO or CISO needs to know about their security posture, we wrote. CIOs and CISOs are coming to depend on their security dashboards to plan strategies and tactics.
ON THE RECORD
“Cybersecurity is everyone’s responsibility,” said Janet Vogel, HHS Acting Chief Information Security Officer. “It is the responsibility of every organization working in healthcare and public health. In all of our efforts, we must recognize and leverage the value of partnerships among government and industry stakeholders to tackle the shared problems collaboratively.”
Email phishing attacks, ransomware attacks and attacks against connected medical devices are among the greatest cyberthreats that health systems need to protect against, according to new cybersecurity guidance for health systems from the Department of Health and Human Services.
Released last week, the Health Industry Cybersecurity Practices were released to help the industry identify ways to reduce its risk from cyberthreats. The result of a two-year effort between HHS and private entities, the guidance fulfills a mandate of the Cybersecurity Act of 2015.
“Cybersecurity is everyone’s responsibility. It is the responsibility of every organization working in healthcare and public health,” said Janet Vogel, HHS acting chief information security officer, in a release. “In all of our efforts, we must recognize and leverage the value of partnerships among government and industry stakeholders to tackle the shared problems collaboratively.”
It’s a far-reaching problem impacting organizations across healthcare from health systems to insurers on multiple fronts.
A study published in JAMA in November found that hackers took 133.8 million patient records between 2009 and 2017. Most recently, Atrium Health reported that a database of more than 2.6 million billing records of patients at Atrium Health—formerly Carolinas HealthCare System—was compromised by hackers.
But lawmakers have been expanding their focus to other threats in recent months. In November, a congressional committee asked HHS to begin drawing up plans to provide more transparency about cybersecurity risks within medical devices.
“The breadth and complexity of these threats complicate mitigation. This is not simply an IT problem. When threats and vulnerabilities are identified and assessed for potential impact, the most effective combination of safeguards and cybersecurity practices must be determined based on the organization’s particular needs, exposures, resources, and capabilities,” the report said.
It’s a costly problem. The U.S. healthcare system lost $6.2 billion to data breaches in 2016, with 4 in 5 physicians experiencing some form of cybersecurity attack, the report said.
In order to mitigate future breaches, HHS provided a list of 10 areas for stakeholders to focus on to limit their vulnerabilities, including:
- Email protection systems
- Endpoint protection systems
- Access management
- Data protection and loss prevention
- Asset management
- Network management
- Vulnerability management
- Incident response
- Medical device security
- Cybersecurity policies
HHS acknowledged that the exact shape of these practices will vary depending on the type of entity employing them. It, therefore, provided guidance on several “sub-practices” for different-sized organizations in the technical volumes accompanying the report.
Athenahealth is asking federal regulators to create a fraud exemption that would allow doctors to pay “fair market value” for patient data, creating a business case for interoperability.
Such an approach would establish “a true functioning market for the exchange of health information,” Greg Carey, director of government and regulatory affairs at Athenahealth, wrote in a letter (PDF) to Inspector General Daniel Levinson. Carey said the payments would be “nominal.”
Responding to a request for information issued by the HHS Office of Inspector General in August seeking suggestions on how to reform the Anti-Kickback Statute and Stark Law, Carey argued that outdated fraud laws didn’t account for the value of data exchange. While other industries like finance pay for data, healthcare companies like Athenahealth are forced to shoulder the costs of secure, efficient data transfer that supports value-based care.
“It is our experience that information exchange occurs best when there is a business case and problem to solve,” Carey wrote. “We believe that new safe harbors to Stark and Anti-Kickback statute to allow for the fair market value payment for the exchange of health data will spur interoperability forward and allow the market to further realize the benefits of health IT on lowering costs and improving patient outcomes.”
Meanwhile, Cerner called on (PDF) OIG to broaden carve-outs for providers to donate EHRs and related healthcare technology that address population health management and care coordination. The company recommended that the OIG add explicit provisions to the EHR Safe Harbor to allow any risk-bearing entity in an advanced alternative payment model to donate EHRs to post-acute care providers, nursing facilities, long-term care hospitals and rehabilitation facilities.
Cybersecurity carve-out needed
Similarly, two IT groups advocated for an Anti-Kickback carve-out that would allow health systems to share cybersecurity tools with smaller providers.
Rather than modifying the existing EHR safe harbor, the College of Healthcare Information Management Executives requested (PDF) a separate exemption that would include program development, software and hardware, expertise in the wake of a cyberattack and staff time.
Cybersecurity experts have frequently pointed to this exemption as a way to get resources to smaller providers prone to attacks.
The Healthcare Sector Coordinating Council (HSCC) also threw its support behind a cybersecurity safe harbor, noting that a stronger cybersecurity posture across the industry would help facilitate the shift from volume to value by facilitating protected data exchange.
“The security of the healthcare system is only as strong as its weakest link, so it would benefit the entire healthcare industry to support the provision of cybersecurity resources outside of large health systems,” wrote (PDF) Greg Garcia, executive director for cybersecurity at HSCC. “Doing so would help to protect a community’s larger systems, as well as the affiliated small and medium-sized practices.”
Anthem has agreed to pay the Department of Health and Human Services (HHS) $16 million for a landmark 2015 breach that impacted nearly 79 million consumers.
It’s a record-setting settlement from the Office for Civil Rights (OCR), the HHS agency tasked with enforcing HIPAA. It’s nearly three times the agency’s previous highest settlement of $5.55 million paid by Advocate Health Care in 2016.
“The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history,” OCR Director Roger Severino said in a statement. “Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information.”
“We know that large health care entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR,” he added.
An investigation by OCR found that the insurance giant failed to conduct an enterprise-wide risk analysis, regularly review system activity or identify and respond to a known threat.
OCR also determined that Anthem failed to implement the minimum security controls to prevent hackers from accessing sensitive patient information. The attack, which began as early as Feb. 18, 2014, wasn’t discovered by Anthem until Jan. 29, 2015, but most of the information was stolen between Dec. 2, 2014 and Jan. 27, 2015.
Anthem has also agreed to take “substantial corrective action,” according to OCR. As outlined its corrective action plan with the agency, Anthem must conduct a risk analysis, review its policies and procedures, provide annual reports to HHS for a two-year period and notify HHS of any reportable events involving employee noncompliance.
Last year, the insurer agreed to pay $115 million to settle a class-action lawsuit from members affected by the breach.
DAS Health’s Vice President of Technology Solutions Appointed to the USF Cybersecurity for Executives Advisory Committee
Kyle Mynatt brings extensive healthcare information technology knowledge to the innovative committee
TAMPA, Fla. (August 6, 2018) – Kyle Mynatt, Vice President of Technology Solutions for DAS Health, an industry leader in health IT and management, has been appointed to the USF Cybersecurity for Executives Advisory Committee. This committee contributes to the School in many ways including sharing invaluable knowledge to the faculty and students, as well as overseeing the Cybersecurity for Executives Certificate Program.
Kyle brings his extensive 17+ years of experience in technology to this esteemed committee. The last 7 of those years have been spent with DAS Health, where he currently oversees departments with responsibility for the cybersecurity of 8 million patients’ records and a real-time Disaster Recovery (DR) system that spans the continent, as well as other customer facing disciplines. Kyle also has 10 years of prior technical experience in the field; including his active duty in the Marines where he worked with the National Security Agency (NSA) in counter intelligence. During this time, he trained in multidiscipline intelligence collection and operations and became skilled in troubleshooting computer hardware and network issues. Kyle was honored as a 2017 Tampa Bay Business Journal Heroes at Work, an award that recognizes veterans who contributed to their community through their personal and professional endeavors.
“We are delighted for Kyle to be appointed to such a crucial advisory committee,” said David Schlaifer, President and CEO of DAS Health. “Kyle brings a unique background and approach to the committee through his experience in Health IT and the remarkable mentorship he provides to his team.”
Kyle will be part of a group of industry leaders that hold an expansive professional record ranging from start-ups to government intelligence. This impressive group will guide the course content and mentor the attending executives through an intense, two-day Executive Education Program that is designed to provide a ‘survival guide’ for the rising executives. Kyle will be utilizing the extensive knowledge he has gained to offer input on USF’s program, create potential internship programs, and visit classrooms and conferences.
- Americans are far less concerned about the security of their personal health data than breaches of financial information, a new SCOUT Rare Insights survey shows.
- Just under half (49%) of adults said they are extremely or very concerned about security of lab results, diagnoses and other health information, compared with 69% who said they are extremely or very concerned about the safety of their financial data.
- The news comes as healthcare organizations continue to face regular cyber threats and data security concerns.
As healthcare organizations amass more and more patient data and patients are pushed to engage with EHRs and patient portals, providers and payers will need to do more to make people aware of best practices and risks.
A study by Accenture and the American Medical Association found that four out of five physicians have experienced a cybersecurity attack. More than half worried such attacks could undermine patient safety, and roughly three-fourths thought future attacks could disrupt their clinical practices and compromise patient records.
In a recent Ponemon Institute survey, 62% of healthcare leaders said their organization experienced a cyberattack in the past year, and more than half said the event resulted in loss of patient data. Patient medical records and patient billing information were the top two targets of hackers.
In February, Partners HealthCare notified 2,600 patients that their personal information may have been compromised when an unauthorized third party introduced malware into its computer system. Banner Health contacted 3.7 million people in August 2016 to reveal that a cyberattack may have exposed their personal data.
“We need to be much more aware and concerned about the safety of our health data,” Raffi Siyahian, principal at SCOUT, said in a statement. “First, the risk of having our medical data exposed is pretty significant. And second, the consequences of someone gaining unauthorized access to your personal health information can be far more damaging than having someone illegally access your personal financial information.”
He noted that banks are typically quick to alert customer when their financial information is stolen, whereas breaches of healthcare data often aren’t spotted for months or years.
“We need to guard and monitor our health insurance cards and medical service statements as rigorously as we guard and monitor our credit cards and bank statements,” Siyahian said.