- Healthcare providers must adhere to HIPAA rules and required state regulation with regard to maintaining data security. But not all regulations are specific in how covered entities should approach healthcare cybersecurity in an evolving industry.
The Health Care Industry Cybersecurity Task Force report that was published earlier this year highlighted medical device security as a key imperative, along with improving information sharing.
While the Task Force report is guidance and not law, it still holds key recommendations for healthcare organizations, according to Jennifer Rathburn, partner with Foley & Lardner LLP.
“You have to stay one step ahead in the world of cybersecurity,” Rathburn told HealthITSecurity.com. “While this report is not law, healthcare organizations should take the recommendations seriously. Thoughtful minds came together thinking about some of the big issues.”
Created under the Cybersecurity Information Security Act of 2015, the Task Force included representatives selected by the Secretary of Health & Human Services in coordination with the Department of Homeland Security and NIST.
The report to Congress outlined the following six imperative areas and included recommendations for how to make improvements:
- Define and streamline leadership, governance, and expectations for healthcare industry cybersecurity
- Increase the security and resilience of medical devices and health IT
- Develop the healthcare workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities
- Increase healthcare industry readiness through improved cybersecurity awareness and education
- Identify mechanisms to protect R&D efforts and intellectual property from attacks or exposure
- Improve information sharing of industry threats, risks, and mitigations
The HIPAA Security Rule itself is old, Rathburn noted. It came out in the early 2000s and does not prescribe specific technical measures.
“It really tells an organization the requirements it needs to consider for administrative, technical, and physical safeguards,” she said. “Some are required and some are addressable.”
Other guidance from agencies such as OCR and NIST on the other hand discuss important best practices.
HIPAA is also not likely to be updated to account for the increasing amount of technological options, Rathburn pointed out. HHS may choose to endorse certain frameworks, perhaps one with more guidance on data encryption for example. But Rathburn maintained that HHS should not and likely will not get into specific technical controls.
READ MORE: How Data Encryption Benefits Data Security
She added that HITRUST can be a critical framework for healthcare organizations, especially as it incorporates numerous other frameworks (i.e. ISO, SANS, HIPAA). While it is not required to be HITRUST certified, Rathburn noted that it could be beneficial in helping entities find options best suited to their data security needs.
Healthcare organizations must determine reasonable and appropriate security measures for their own needs and characteristics, according to HHS.
“No specific requirements for types of technology to implement are identified,” the HIPAA Security Series explains. “The Rule allows a covered entity to use any security measures that allows it reasonably and appropriately to implement the standards and implementation specifications.”
Medical device security was one key area in the Task Force report that covered entities should note, Rathburn stated. Internet of Things (IoT) devices in general require entities across sectors to take careful consideration in their risk analysis, she said.
“Whenever you bring a device or other sort of technology into your environment that could bring a security risk, you don’t need to do a full blown update on your risk analysis but you need to think about how that device could bring risk into your organization,” Rathburn explained. “Some organizations have been doing that for years, but not all of them.”
The Task Force report rightfully pointed out the need for continuously updating an organization’s risk management plan, she added.
“The big focus in cyber in general, is really a continual evaluation of the risks and vulnerabilities to your organization and how you’re going to implement a risk management plan to try to alleviate those risks,” Rathburn said.
Maintaining security with the rise of ransomware
Along with properly monitoring the potential risk with adding in new connected medical devices, organizations should also be aware of the potential risk of ransomware, according to Rathburn.
No healthcare organization is safe from this cybersecurity threat, especially with more covered entities becoming dependent on the internet.
OCR has also issued ransomware guidance, which organizations should regularly review and ensure they understand the consequences of failing to report a breach stemming from a ransomware attack.
Whether or not a ransomware attack needs to be reported as a possible data breach is a very controversial topic, Rathburn admitted.
“Oftentimes, the attackers will not even exfiltrate an organization’s data,” she said. “Sometimes they don’t even look at your data: they just encrypt it so you can’t use it.”
However, this is where the OCR guidance is so important, Rathburn stressed.
“Many entities are now aware of that guidance, but they may not think ransomware is something that has to be reported as a breach,” she stated. “Whether it’s reporting it to individual patients, health plan enrollees, OCR, etc However, OCR presumes ransomware to be a reportable breach.”
OCR explains in its guidance that it will presume a breach occurred if an attack involved unencrypted data. An entity will need to prove that the ePHI was in fact encrypted throughout the entire process, including before an attack and when the attack encrypted data again.
“If full disk encryption is the only encryption solution in use to protect the PHI and if the ransomware accesses the file containing the PHI, the file containing the PHI will be transparently decrypted by the full disk encryption solution and access permitted with the same access levels granted to the user,” the guidance reads.
“Because the file containing the PHI was decrypted and thus ‘unsecured PHI’ at the point in time that the ransomware accessed the file, an impermissible disclosure of PHI was made and a breach is presumed.”
Organizations can still go through the risk assessment process following a ransomware attack, working to ensure a low risk of compromise, Rathburn said.
“It’s still a fact and circumstance analysis,” Rathburn explained. “If a health system’s main electronic health record experienced ransomware and there were no backups and it affected patient safety, it would be difficult to argue there was low risk of compromise. But it really is a fact and circumstance analysis paired with the guidance from OCR.”