I read with immense interest the letter[1] that Senator Mark Warner sent to Alan Miller following the ransomware attack on Universal Health Services earlier this fall. As we have seen, cyberattacks are compromising the confidentiality of patient data. They are also threatening and interrupting the availability of healthcare services, resulting in grave implications for patient safety and eroding confidence in our nation’s healthcare system. While cybercriminals are behind many of these attacks, others are sponsored by adversarial nation states that are targeting our valuable clinical research data and present a threat to our national security.
I applaud Senator Warner for recognizing the gravity of these cyberattacks and taking action to address the continued challenges our nation’s healthcare organizations face in establishing adequate cybersecurity safeguards to defend against these cyberattacks. The threat landscape and attack surface are evolving rapidly, and the healthcare ecosystem is becoming more interconnected. While some healthcare providers are systematically analyzing and responding to risks across the enterprise, the majority are not. Unless these healthcare providers change their approach to dealing with this problem, it is reasonable to believe that the situation will only get worse.
Clearwater supports cybersecurity and HIPAA compliance programs at some of the country’s largest integrated delivery networks, several innovative healthcare technology companies, and numerous community hospitals, physician practice groups and insurance carriers, all of whom have been very successful in this area. Our work provides me with a direct view into the challenges the industry faces in improving cybersecurity, and I know first-hand that these challenges can be addressed.
Without question, for most healthcare providers, cybersecurity is under-resourced. Health system executives consistently tell me that the rise in their operating costs and declining revenues resulting from lower reimbursements and shift of profitable services to outpatient clinics are some of the reasons why they cannot afford much-needed risk management and cybersecurity investments. COVID-19 has only aggravated this problem. The pandemic and resulting reduced revenues are forcing many healthcare providers to make tough budgetary decisions. In many cases, they have chosen to furlough cybersecurity and IT resources and reduce funding for or even forego aspects of cyber risk management efforts.
HIPAA Security regulations exist to mandate security investments, yet they have not been impactful enough to weigh against these market pressures. HIPAA regulations are woefully out of date and are too vague given today’s cybersecurity challenge. Healthcare organizations may be subject to investigations by the HHS’ Office for Civil Rights (OCR), but in general, OCR does not audit healthcare providers for HIPAA compliance. Considering the number of attacks on our healthcare systems, OCR has reached settlements or imposed civil money penalties in relatively few instances of HIPAA Security Rule violations. When there are enforcement actions, the penalty amounts are minuscule compared to, for example, those from the Office of Inspector General concerning fraud, waste, and abuse. For many healthcare providers, the threat of a HIPAA enforcement action has not been likely or impactful enough to motivate them to comply with risk analysis and risk management requirements of the HIPAA Security Rule in a manner that is appropriate for the size and complexity of their organizations.
Cyberattacks on our health system continue to grow in frequency and sophistication, making it difficult for security professionals to keep up. In Black Book Market Research’s recently published survey of 2,464 security professionals from 705 healthcare provider organizations, 96% of those surveyed agreed that data attackers are outpacing their own organization’s ability to respond, holding providers at a significant disadvantage to their adversaries[2]. The attack surface continues to grow more extensive due to the rapid digitization of healthcare, expansion of telehealth, and the shift to a remote workforce. This phenomenon has inevitably led to increased vulnerabilities, while cybersecurity resources have become even more strained during the pandemic.
Senator Warner cited in his letter that “Ransomware continues to impact organizations that have not demonstrated sufficient risk management maturity.” I would submit that the healthcare industry’s deficiency in conducting systematic risk analysis and risk management is unequivocally the root cause of successful cyberattacks against our health system. We believe that OCR Director Roger Severino would agree that this supposition has merit. At the 2019 Safeguarding Health Information: Building Assurance through HIPAA Security Conference, hosted by the OCR and the National Institute of Standards and Technology (NIST), Director Severino said during his keynote address: “The single most important thing you can do to protect yourself [against a breach] is to conduct a risk analysis… It’s also the area where we have had the most enforcement.”
The HIPAA Security Rule 45 CFR § 164.308(a)(1) requires that all healthcare covered entities and business associates conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the organization. Yet, many hospitals and health systems across the nation fail to make the necessary investment to conduct risk analysis as required by the rule and in accordance with the nine essential elements required by OCR’s Guidance on Risk Analysis Requirements under the HIPAA Security Rule[5].
The need to advance cyber risk management in our nation’s hospitals has become clear through our experience helping dozens of healthcare organizations respond to OCR investigations or directives resulting from past breaches and by our review of all ePHI-related HIPAA enforcement actions by OCR. Our analysis of OCR enforcement actions (based on publicly available information) reveals that failure to conduct sufficient risk analysis and risk management are cited violations in nearly 90% of these cases.[6] OCR Director Roger Severino has continued to emphasize this issue, including this comment from February of this year: “For enforcement purposes, there’s still a lot of low-hanging fruit. There are a lot of entities that are not doing the basic steps . . . They’re not doing the comprehensive risk analyses . . .[7]“
Rather than invest in risk analysis and risk management processes, many healthcare organizations rely on high-level control checklists to evaluate the effectiveness of their security program. Checking boxes, rather than evaluating whether those controls are sufficient to reduce each organizations’ risks to sufficient levels, may provide a false sense of security. Other organizations that do assess risks, may not do so for all of their information systems, or all of their components. As a result, important risks may be missed, and security investments may be misdirected rather than optimized to ensure that they reduce as much risk as possible. Failure to conduct enterprise-wide risk analysis can leave gaping vulnerabilities exposed. Without compensating controls, cyberattacks can easily exploit these vulnerabilities, as we have witnessed time and again.
Cyber risk management is not a novel concept. Under Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure issued May 11, 2017[8], our government “agencies (agency heads) [are] accountable for managing cybersecurity risk to their enterprises.” Risk management processes and guidelines are well established and available through National Standards of Technology Special Publications 800-39 Managing Information Security Risk: Organization, Mission, and Information System View[9] and 800-30 Rev. 1 Guide for Conducting Risk Assessments[10].
Customers we work with follow these tried and proven cyber risk management processes. Risk-based cybersecurity is strongly embedded in their governance processes and guides their cybersecurity strategy. They define their risk tolerance levels, inventory components of information systems that create, transmit, receive, or maintain electronic protected health information, and systematically identify, prioritize, and respond to high risks on a continuous basis. They monitor changes in their environment that may affect the likelihood or impact of a breach and assess whether additional security measures are warranted. Their cyber risk management programs make it clear where to prioritize cybersecurity efforts. Because they have taken this approach, even with limited resources, they have avoided ransomware attacks and breaches that have plagued others in the industry.
It is time for all healthcare providers across the entire healthcare industry follow the lead of these healthcare organizations, our government, and our other critical infrastructure industries, by systematically performing risk analysis across their enterprises and taking a risk-based approach to managing cybersecurity programs. Only by first identifying and prioritizing their own unique cyber risks, can healthcare organizations ensure that each dollar invested in cybersecurity is invested in the best place, and know where additional investments are required to adequately protect themselves, their patients, and their sensitive data.
Hear more of my perspective on this subject during next week’s HIMSS Healthcare Security Forum and reach out to me with your comments and questions at steve.cagle@clearwatercompliance.com.
[6] Analysis can be provided upon request under confidentiality agreement.
