Over the past 10 years, the healthcare industry’s understanding of cyber risk has evolved through four distinct phases, emphasizing four different aspects of cyber risk. Understanding these four different phases gives context for where healthcare cyber risk began and where it is now.
HIPAA was enacted in 1996.i The HIPAA Privacy Rule went into effect in 2003 and the HIPAA Security Rule went into effect in 2005.ii In the early 2000s, HIPAA enforcement efforts were complaint-driven and reactive, resulting in minimal compliance efforts. That changed with the passage of the HITECH Act. The HITECH Act changed breach reporting requirements, expanded the types of entities subject to HIPAA’s privacy and security rules, and increased penalties for lack of compliance and increased enforcement activities. These changes ushered in the first phase of cybersecurity in the healthcare industry: The Compliance phase (figure 4.1).
In 2015, data breaches at Anthem, Premera Blue Cross, Excellus BlueCross BlueShield and others exposed the data of more than 193 million individuals.iii These breaches reinforced the idea that cybersecurity in healthcare was about more than simply HIPAA compliance. It became clear that cyber risk was a security issue. Healthcare organizations increased their efforts around security and cyber risk management, ushering in a new phase of cyber risk focus: The Security and Cyber Risk Management (CRM) phase.
Around the same time as these data breaches were occurring, connected medical devices were gaining acceptance-and providing new opportunities for cyber attackers. As early as 2011, security researcher Jay Radcliffe demonstrated how he could remotely hack into and disable an insulin pump.iv In 2013, the Food and Drug Administration (FDA) issued guidance on cybersecurity and medical devices. In 2017, the FDA recalled an implantable pacemaker over concerns it was vulnerable to hacking.v By 2018, incidents like these led to a new cybersecurity focus within the healthcare industry; I call this the Patient Safety phase.
Now, as we begin 2021 and beyond, the healthcare industry has entered a new phase: Medical Professional Liability. There has not yet been a highly publicized, cyber-driven, medical malpractice lawsuit, but progressive organizations know that it is coming and they are working hard to get ahead of this trend. More and more organizations are connecting the dots between cyber risk, patient safety and medical professional liability. They are rightly beginning to view Enterprise Cyber Risk Management (ECRM) as an enterprise risk management issue, not an IT problem, and elevating ECRM’s role within the organization accordingly.
Healthcare organizations are subject to a number of privacy, security and breach notification rules that range from local to state to federal to international regulations. This means that your ECRM program is not only an important business requirement, but it is also required by law. Some of the key sources of regulations related to data privacy, security and breach notification include the following:
- HIPAA-HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996. HIPAA’s Privacy, Security, Enforcement and Breach Notification Rules, as articulated in the Omnibus Final Rule, which was published in 2013, provide the foundation for the healthcare industry’s privacy and security laws.vi It is the standard against which HIPAA compliance is measured. The privacy, security and breach notification rules contained in HIPAA apply to PHI, a broad category that encompasses many different types of clinical and administrative data. PHI is defined as “individually identifiable health information.”vii Every organization that “creates, receives, maintains, or transmits protected health information” is required to comply with HIPAA.viii
- State Laws-As of this writing, the U.S. has not enacted any single, overarching data protection legislation.ix States, however, are another matter. All 50 states, and the District of Columbia, require that residents be notified in the case of a data breach of practically any type of personally identifiable information (PII), including PHI.x State definitions of protected information and breaches, and regulations around notification, vary widely. One trend that is evident across state-initiated privacy and security regulations is an emphasis on risk-based information security. In this respect, state laws are mirroring HIPAA’s requirements for risk-based data security measures based on comprehensive risk analysis.
- The Federal Trade Commission (FTC)-The FTC is “an independent U.S. law enforcement agency protecting consumers and enhancing competition across broad sectors of the economy. The FTC’s primary legal authority comes from Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive practices in the marketplace … This broad authority allows the Commission to address a wide array of practices affecting consumers, including those that emerge with the development of new technologies and business models.”xi The FTC has increasingly been leveraging its authority to protect consumer privacy and personal information. The FTC’s focus on data privacy and security has the potential to impact your organization. One recent example of the FTC’s perspective and influence is the 2019 settlement with Facebook. The final settlement included the following requirements:
- The organization must establish an ongoing Independent Privacy Committee;
- The organization must engage an external firm to conduct an initial Independent Privacy Program Assessment, and to continue to conduct such assessments every two years for the next twenty years;
- Each fiscal quarter, the Principal Executive Officer and the Designated Compliance Officer(s) must sign a certification related to the establishment, implementation and maintenance of a Privacy Program compliant with the requirements of the settlement;
- Conduct risk assessment and risk management prior to modifying products, services or practices or implementing new products, services or practices.xii
- Europe’s General Data Protection Regulation (GDPR)-The GDPR, which went into effect in May 2018, protects EU citizens no matter where they are in the world; as such, compliance with the GDPR’s data privacy regulations must be taken into account regardless of whether an organization maintains a physical presence in the EU or not.xv
Despite the importance of compliance with applicable laws and regulations, it is important to clarify that regulatory compliance does not equal security. Many organizations operate under the misconception that compliance with the original HIPAA legislation (enacted more than 20 years ago) or the HIPAA Security Rule (effective 15 years ago) is sufficient. I’m using the term “compliance” here in the sense of a checklist approach to regulatory requirements: Simply ticking off boxes on a controls checklist or list of best practices and calling it good does not translate into effective security.
That is not sufficient to secure your organization’s data, systems, and devices. And multiple Office for Civil Rights (OCR) enforcement actions demonstrate that this type of “checklist” exercise doesn’t meet HIPAA Security Rule requirements for an effective ECRM program, either. An effective ECRM program is more complex, more specific and more nuanced than marking off a checklist.
For example, the HIPAA Security Rule doesn’t require just one type of assessment: it actually requires that organizations conduct three different types of assessments (figure 4.2).
It is important that your organization understands the differences between these three types of assessments in order to implement a program that is compliant with the HIPAA Security Rule. But for our purposes here, what I want to emphasize, is that one of the three required assessments is the risk analysis. This analysis, which identifies and documents your organization’s unique assets, threats and vulnerabilities, is what provides the foundation for an effective ECRM program. And a comprehensive ECRM program-not compliance, in and of itself-is what ultimately keeps your organization secure.