Gerry Blass, President & CEO, ComplyAssistant
In the 70s and 80s, healthcare organizations started to migrate their patient management information from hardcopy to electronic, either on shared mainframes such as SMS and McAuto or on microprocessors. The user workstations had no intelligence and were known as “dumb terminals.” There were limited locations of electronic identifiable health information. There was no motivation to sell identifiable health information.
Motivation and Opportunity
During the 1990s, the implementation of local and wide area networks, intelligent workstations, and distributed servers resulted in increases in risk to unauthorized access. Several breach incidents occurred, such as with celebrities including Britney Spears, Bill Clinton, Arthur Ashe, and George Clooney. Hospital employees sold medical records of accident victims to lawyers. Thus began a trend of increased motivation and opportunity to sell health information for monetary gain.
Health Insurance Portability and Accountability Act (HIPAA)
The initial objective of HIPAA was for administrative simplification of insurance claims through standardized electronic coding. The privacy and security rules were included in the ACT due to incidents and increased vulnerabilities. The rules were signed during the Clinton Administration in 1996 and went into effect in 2003 and 2004. Most breach incidents in the early 2000s were caused by internal healthcare employees, both intentional and accidental.
Health Information Technology for Economic and Clinical Health (HITECH) Act,
HITECH was enacted as part of the American Recovery and Reinvestment Act of 2009 and was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology. The Act included the Breach Notification rule, which brought penalties and civil suits into play for incidents that were due to negligence.
Meaningful Use (MU)
The many years and stages of MU resulted in significant migration from hard copy to electronic medical records through the adoption of electronic medical records systems (EMRs). The increase in electronic health information locations and the lack of adequate controls to protect it resulted in cybersecurity attacks. The opportunity for successful attacks was high, along with the motivation.
The HITECH Omnibus final rule, signed in 2013, increased penalties and civil suits for both covered entities (CEs) and third-party vendors (BAs). It also updated breach determinations based on the probability of compromising PHI and defined timeframes for reporting notifications.
Over the past seven-plus years, the healthcare industry continued to be, and still is, the number one (1) target for cybersecurity attackers, now known as “bad actors.” With limited funds and staff, many healthcare organizations are at a disadvantage in managing risk. In addition, the scope and complexity of risk continually increase due to several variables that increased the number of locations of potentially vulnerable PHI. It is difficult for healthcare organizations to keep up with advanced threats. Yet, the costs of not keeping up can be even higher from a monetary and patient safety standpoint. With HIEs, IOTs, APIs, Interoperability, Information Blocking, the Pandemic (remote workforce and telehealth), and breaches caused by third parties, the number of locations of PHI are now geometric, and thus the number of fish in the sea for phishing attacks. What started as perhaps four (4) places for identifiable health information and no motivation for an attack in the 70s and 80s is now unlimited locations and motivation. In addition, the bad actors know that there is minimal risk of getting caught for their crime.
The ultimate motivation for bad actors today is to make money with ransomware. So what goes around comes around. What started as the most significant risk being with the internal workforce back in the 90s is still the same today with phishing attacks. Healthcare organizations continually train their workforce with mock phishing exercises, and there are still significant vulnerabilities for falling prey to an attack. Today’s motto is “It is not a question of if… it is a question of when”.
When an attack takes down a healthcare organization and its medical devices, patient safety and lives are then at stake – the ultimate feared outcome.
The number of ransomware attacks continues to increase, resulting in large ransoms paid and the potential for extended periods of downtime that have happened and have crippled critical structures and continue to happen. Recent examples include:
- Solarwinds, which impacted a large number of third-party vendors (BAs) and their clients.
- University of Vermont Health System – resulted in over 30 days of complete shutdown and diversion of patients, such as chemo and dialysis, to other healthcare facilities.
- The Colonial Pipeline – an example of how a ransomware attack can cripple our infrastructure.
The Disaster Recovery and Business Continuity (DRBC) Domino Effect
Traditional DRBC plans based on The National Institute of Standards and Technology (NIST) from ten (10) years ago included scenarios and business impact of a reasonable outage of no more than 72 hours. Business impact assessments included variables resulting in application ratings of high, medium, and low criticality. Department downtime procedures were created based on the BIA. Today, the 72-hour downtime timeframe is no longer reasonable. The incidents listed above, as noted, resulted in more extended periods of downtime, such as 30 days or more. Healthcare organizations are now re-evaluating their plans to take the potentially extended downtime timeframes into account. The possible scenarios are dramatic and require a strategy beyond just systems to include critical business decisions that may have to be made that significantly impact operations. Examples include when to pay a ransom, notify local police and the FBI, shutter parts or all of the organization, and divert patients. The guidelines from 2010 are not sufficient today and must be updated accordingly.
Health Industry Cybersecurity Practices (HICP) – www.phe.gov/preparedness/planning/405D
Healthcare organizations should consider implementing HICP to manage threats and controls that reduce risk. HHS commissioned a task force in 2017 to publish the top five (5) threats and top (10) recognized security practices scoped for small, medium, and large organizations. Version 1 was published in December 2018. Updates will continue to occur ongoing. There are several updates expected during 2021. HICP is based on the NIST Cybersecurity Framework (CSF) and is mapped to other frameworks. There are several reasons for healthcare organizations to adopt HICP. It is voluntary and, if implemented for 12 months, results in incentives should an incident occur. The carrot vs. stick incentives include potential:
- Mitigation of HIPAA fines
- An early, favorable termination of the HIPAA Audit
- Mitigation of the remedies in a HIPAA resolution agreement with HHS
Threat landscapes will continue to change as technology, and other variables evolve. The number of locations of PHI will continue to increase. The importance of keeping a DRBC plan up to date and tested will be more critical. By doing so, healthcare organizations will make important decisions, such as moving applications to a cloud host, etc., where DRBC plans and procedures are managed remotely by companies whose sole purpose is to protect the confidentiality, integrity, and availability of PHI. Information sharing amongst healthcare organizations about threats and vulnerabilities is and will continue to be a must. The bad actors share information. Organizations such as ISAOs (Information Sharing and Analysis Organizations) and ISACAs (Information Systems Audit and Control Associations®) help healthcare organizations do the same to attempt to stay one step ahead of the bad actors.