- The recent ransomware attack on Hollywood Presbyterian Medical Center highlights the healthcare cybersecurity risks organizations face today. Unfortunately, this cyber attack also reveals the inadequacy of the HIPAA Security Rule to provide guidance on the numerous healthcare cybersecurity threats that are not associated with ePHI.
The reasons why HIPAA is poorly suited for the risks posed by cyber threats fall into three categories.
The first is that this regulatory approach is narrowly focused on the security of PHI and addresses only a part of the overall cyber threat.
The second is that a rules-based risk management approach does not work to mitigate the full range of cyber threats and cannot help healthcare organizations increase resilience against an attack.
Finally, a compliance approach to healthcare cybersecurity creates an organizational governance structure that inhibits framing cyber risk as an organization-wide issue and impedes executive and board engagement.
The HIPAA Security Rule established security standards for protecting electronic health information as an extension of the protections already contained in the previously adopted Privacy Rule. Recent experience demonstrates, however, that healthcare providers face numerous cyber risks that have nothing to do with patient information but nevertheless have potentially significant consequences.
The Hollywood Presbyterian attack reportedly did not expose patient data but it did disrupt hospital operations for 10 days and required a ransom payment to unencrypt electronic health records. That same week Magnolia Health Corporation was attacked and employee data was exposed requiring mandatory state breach disclosure and costs associated with identity theft and credit protection services.
In 2014, Boston Children’s Hospital was attacked, allegedly by the hacktivist group Anonymous, disrupting some hospital operations for “at least seven days.”
The rules-based, compliance oriented cyber risk management approach works well for healthcare providers that must be in compliance with HIPAA. The problem with this approach is that it gives false confidence to healthcare executives that HIPAA Security Rule compliance equates to effective cybersecurity risk management.
Harvard Business School professors Robert Kaplan and Anette Mikes have written that risk management is too often constrained by this compliance-oriented thinking. In order for healthcare organizations to develop and implement effective cybersecurity risk management programs they must recognize and mitigate two other types of cybersecurity risks: strategy risks and external risks.
Healthcare providers are making strategy decisions on integrating EHR systems, increasing the use of telemedicine and purchasing medical devices that are increasingly Internet connected, all of which introduce additional cyber risk not covered by HIPAA.
These strategy decisions need to be accompanied with a cybersecurity risk strategy to ensure that senior executives are aware of the cyber risks they are assuming and to be confident that these risks can be managed.
An increasing number of cyber risks faced by healthcare providers are external risks from criminals and hacktivists, some of which will not be prevented. In this case, cyber risk management approaches need to be designed to best understand and frame the range of possible consequences to healthcare organizations and develop plans to lessen the effects. The time to have a plan for a cyber event is before it occurs not after.
Congress has also expressed concern about the state of healthcare cybersecurity. In the recently passed Cybersecurity Act of 2015, Congress specifically calls for efforts to improve cybersecurity in healthcare. The secretary of Health and Human Services is directed to support voluntary efforts to improve cybersecurity that are consistent with HIPAA. The better formulation is for HIPAA to be integrated into effective cybersecurity risk management.
In order for healthcare providers to effectively manage the full range of cybersecurity risks they must treat cyber risk as an enterprise-wide risk.
The HIPAA Privacy and Security Rules are an important standard that cannot be compromised, but they are only a subset of the cybersecurity threats healthcare providers face. Healthcare senior executives and boards must develop and adopt cyber risk management approaches to simultaneously deal with risks that are compliance requirements, business strategy decisions and external threats that require imagination to manage and resilience to weather.
Jonathan Litchman, Co-Founder and CEO of the Providence Group, advises senior executives in healthcare on cybersecurity risk management . He is a national security veteran with experience as an intelligence officer, a staff member on the Senate Foreign Relations Committee and a senior security industry executive who consulted on cybersecurity and strategic planning. He was the Executive Secretary for the National Warning Intelligence Task Force and most recently led Edelman Public Relations’ cybersecurity policy and national security practice in Washington, D.C.