The digital transformation of healthcare is rapidly driving the adoption of new technology and information systems to support key business initiatives. We are experiencing a veritable explosion in health care data, systems and devices. Healthcare data has grown by 878% since 2016[1], and the number of endpoints from which it can be accessed is growing exponentially. It is estimated that 25,000 petabytes of healthcare data will be online by 2020.[2] The Internet of Medical Things (IoMT) is expected to grow to more than 50 billion devices by 2021[3]. In addition to the external devices like wireless IV infusion pumps or heart monitors that may be attached to our patients, the IoMT includes wireless implantable devices such as deep brain neurostimulators, cochlear implants, gastric stimulators, cardiac defibrillators / pacemakers, foot drop implants and insulin pumps.
Healthcare data, systems and devices are more voluminous, more visible, more valuable and, at the same time, more vulnerable than ever. According to one survey, more than 1 in 3 healthcare organizations have suffered a cyberattack while 1 in 10 have paid a ransom.[4] In terms of vulnerability, in its April 2014 Private Industry notification, the FBI wrote “The health care industry is not as resilient to cyber intrusions compared to the financial and retail sectors; therefore, the possibility of increased cyber intrusions is likely.”[5] We have certainly seen evidence of that over the last five years.
These continuing trends are resulting in even greater cyber risk exposures for healthcare organizations. In the first half of 2019, there were 285 reported breaches affecting 32 million individuals, more than double the total for all of 2018.
In the wake of so many largescale data breaches, the Office for Civil rights (OCR) has stepped up HIPAA enforcement, levying a record $28.7M in fines in 2018, representing an increase of almost 50% over 2017. Comprehensive, and high-quality risk analysis and risk management are among the highest areas of their focus as OCR official Nick Heesters recently commented:
“Some of the risk analysis we get back just doesn’t really reflect what the rule requires. The rule requires that it be done in an accurate and thorough manner. To accurately and thoroughly assess the risks to an organization’s ePHI. Frankly, that’s not what we get.”[6]
As of this writing, an analysis of 66 OCR Enforcement Actions indicates there were 48 cases involving electronic protected health information, where risk analysis and risk management were to have been performed by the organization who suffered the breach. In those 48 cases, OCR found 43 organizations or 90% had not completed an OCR-quality risk analysis®. Forty of the 48 (83%) had adverse findings when it came to risk management. To date, OCR has collected $106.9 million in negotiated settlement amounts and civil money penalties.[7]
To illustrate, following are some statements made by OCR Director Roger Severino regarding the mandate for comprehensive, enterprise-wide risk analysis:
- Failure to conduct an enterprise-wide risk analysis can be expensive. $3.5 million. “The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity,” Roger Severino, Director | OCR| Fresenius Medical Care North America Press Release | February 1, 2018
- Failure to update a risk analysis following changes can be painful. $3.0 million. 2 separate breaches following changes in the technology environment. “The Cottage settlement reminds us that information security is a dynamic process and the risks to ePHI may arise before, during, and after implementation covered entity makes system changes.” – Roger Severino, Director | OCR | Cottage Health Press Release | February 7, 2019
- Warnings to Business Associates – You must conduct a comprehensive risk analysis too. $100,000. “Entities entrusted with medical records must be on guard against hackers,” said OCR Director Roger Severino. “The failure to identify potential risks and vulnerabilities to ePHI opens the door to breaches and violates HIPAA.” – Roger Severino, Director | OCR | MIE Press Release|May 23, 2019[8]
In addition to satisfying regulatory requirements, there is a growing need for healthcare organizations to understand where their highest exposures are in order to ensure they are protecting their assets appropriately by prioritizing and investing in the most optimal security controls to maximize their limited budgets. Despite 82% of hospitals reporting breaches, only 5% of hospital IT budgets go to cybersecurity. Financial services, which is considered much more mature in cyber risk management, spends 7.1%.[9] Miniscule budgets and limited cybersecurity staff make it critical for hospitals to ensure they focus resources on mitigating their highest risks. A hospital, or other healthcare provider, can only be certain it is implementing the right controls if it knows where it has gaps.
Third-party vendors (business associates under HIPAA) must also understand and respond to cybersecurity risks. In fact, this has become an essential part of doing business if one wants to sell its products or services to healthcare providers. As a result of the wave of vendor-related breaches, hospitals and other providers have become hypersensitive to privacy and security. They are holding their vendors accountable to much higher standards, in some cases higher than the ones they hold themselves to. As one healthcare technology firm executive said, “Demonstrating we can protect their data is table stakes – without it, we don’t even get a shot at the business.” Another referenced that his company’s ability to demonstrate it has a cyber risk management program in place that “follows the regs, gives them a competitive advantage.”
Enterprise Cyber Risk Management Software (ECRMS): Better Way to Manage Cyber Risk
In response to growing threats, increased regulatory scrutiny, and customer demand, leading healthcare organizations are recognizing that traditional approaches to assessing and managing cyber risk are not effective. A well-designed information security program begins with an enterprise risk analysis, which assesses vulnerabilities and risks that apply to each and every information system that maintains sensitive data such as ePHI. It continues with an integrated risk management program, which tracks and manages risk remediation action items that ultimately reduce risk to acceptable levels.
Until recently, most healthcare organizations have struggled to execute an enterprise-wide, information system-based risk analysis and risk management program as they have lacked the software tools and methodologies to do so. Without a system in place to identify and remediate high risks, these organizations face the very real potential of experiencing a preventable breach, which can lead to fines, lawsuits, disruption in operations, reputational damage, and loss of customers.
Many healthcare organizations struggle to:
- Maintain inventory of their healthcare data, systems and devices, and many have not even identified their “crown-jewel” information assets
- Establish a common definition of risk, and their cyber risk appetites
- Perform risk analysis on all information systems across the enterprise
- Assess likelihood and impact of asset-vulnerability-threat scenarios relevant to their systems
- Retain a single source of truth for risks
- Track and manage risk mitigation action items effectively
- Report on progress of risk analysis and risk response to governance functions
- Treat cyber risk management as a continuous process
Managing cyber risk in healthcare today is complex. Risk presents itself in an ever-changing threat landscape, filled with bad actors who don’t play by the rules. A healthcare organization trying to manage this cyber risk without software specifically designed for this purpose is no better off than one who is trying to manage payment processing, payroll, or electronic medical record keeping with spreadsheets.
Best-in-class Enterprise Cyber Risk Management Software (ECRMS), such as Clearwater’s IRM|Pro®, not only facilitates compliance with regulations, but also creates the basis for a comprehensive, integrated, and holistic approach to identifying, managing and reducing cyber risk across the evolving healthcare IT ecosystem. Deploying an ECRMS in a healthcare organization is no longer an option – it is a necessity in order to maintain secure operations in today’s increasingly digitized health environment.
[1] Dell EMC annual Global Data Protection Index, 2019.
[2] https://archive.siam.org/meetings/sdm13/sun.pdf
[3] https://www.i-micronews.com/products/connected-medical-devices-market-and-business-models-2017/?cn-reloaded=1
[4] https://www.businesswire.com/news/home/20180523005185/en/Survey-Reveals-1-3-Healthcare-Organizations-Suffered%5D
[5] 8 April 2014 FBI PIN #: 140408-009 (U) Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusions for Financial Gain
[6] https://clearwatercompliance.com/blog/key-takeaways-from-breakfast-breaches-d-c/
[7] https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html
[8] https://www.hhs.gov/about/news/2019/05/23/indiana-medical-records-service-pays-100000-to-settle-hipaa-breach.html
[9] https://www.beckershospitalreview.com/cybersecurity/5-of-hospital-it-budgets-go-to-cybersecurity-despite-82-of-hospitals-reporting-breaches.html