The U.S. Department of Health & Human Services (HHS) issued a recent report noting that cybersecurity is a key public health concern that needs “immediate and aggressive attention.” Shortly thereafter, HHS’ Office for Civil Rights (OCR) released a checklist of practical steps health care providers can take to protect themselves and their patients in the event of a cyber attack. Both items underscore the Government’s increased focus on cybersecurity in the health care industry and remind health care providers of the importance of preparing for and appropriately responding to cyber attacks.
The interdisciplinary Health Care Industry Cybersecurity (HCIC) Task Force issued its 87 page report (the Report), mandated by the Cybersecurity Act of 2015, emphasizing the increased responsibility health care organizations have to secure their systems, medical devices, and patient data.
The increased focus on cybersecurity comes in the wake of recent rise and sophistication of cyberattacks on the health care industry. For instance, the Report notes that the health care sector experienced more cyber incidents resulting in data breaches in 2015 than any of the other 15 critical infrastructure sectors in the U.S. economy. As the health care industry increasingly shifts to electronic health records (EHRs), automated medication delivery systems, and generally more connectivity and dependence on the Internet of Things (IoT), the prevalence and severity of these attacks is likely to increase.
The Report includes several high-level recommendations to federal regulators that could have a significant impact on members of the health care industry, including, among others:
- Creating a cybersecurity leader role within HHS to align industry-facing efforts for health care cybersecurity;
- Requiring federal regulatory agencies to harmonize existing and future laws and regulations that affect health care industry cybersecurity;
- Exploring potential impacts to the Physician Self-Referral Law (the Stark Law), Anti-Kickback Statute, and other fraud and abuse laws to allow health care organizations to share cybersecurity resources and information with their partners; and
- Establishing a Medical Computer Emergency Readiness Team (MedCERT) to coordinate medical device-specific responses to cybersecurity incidents and vulnerability disclosures.The Report also identified several recommended steps for industry members, including identifying a cybersecurity leadership role for driving for more robust cybersecurity policies, processes, and functions with clear engagement from executives.
The Report also suggested creating managed security service provider models to support small and medium-size health care providers. The Task Force also recommended that the industry evaluate options to migrate patient records and legacy systems to secure environments (e.g., hosted, cloud, shared computer environments). The imperatives, recommendations, and action items identified in the Report may be a guidebook for future rule-making from HHS aimed at strengthening the privacy of protected health information (PHI) in a new age of cybersecurity risks.
In the wake of the Report and an unprecedented year of increased cyber-attacks against health care entities (including the recent WannaCry attack and the Petya attack), OCR released a checklist of steps that HIPAA covered entities and business associates must take in response to a cyber-related security incident. OCR also published an infographic of the steps, which include:
- Executing response and mitigation procedures and contingency plans. OCR stated that the entity should “immediately fix any technical or other problems to stop the incident” and “take steps to mitigate any impermissible disclosure of protected health information.”
- Report the crime to other law enforcement agencies. These agencies may include state or local law enforcement, the Federal Bureau of Investigation (FBI), and/or the Secret Service.
- Report all cyber threat indicators to federal and information-sharing and analysis organizations (ISAOs). These include the Department of Homeland Security, the HHS Assistant Secretary for Preparedness and Response, and private-sector cyber-threat ISAOs.
- Report the breach to OCR as soon as possible. OCR presumes that all cyber-related security incidents where PHI was accessed, acquired, used, or disclosed are reportable breaches unless the information was encrypted by the entity at the time of the incident or the entity determines, through a written risk assessment, that there was a low probability that the information was compromised. If the breach affects 500 or more individuals, the entity must notify OCR and the media no later than 60 days after discovery of the breach.
OCR reminded health care providers that when it investigates privacy breaches, it “considers all mitigation efforts taken by the entity” when determining the amounts of any civil monetary penalties that it may assess.