Why federal worry over cyberattacks puts pressure on providers
Federal attention has been rising to the high risks of cybersecurity threats facing the healthcare industry, showing rising government concern about—and attention being paid to—vulnerabilities that providers and payers face.
As awareness grows of these vulnerabilities, it will become increasingly important for the healthcare industry to step up its game—given the centrality of cyber to healthcare, healthcare entities must ensure that their systems are up to date and that proper cybersecurity measures are in place.
Earlier this month, the House of Representatives Committee on Energy and Commerce Subcommittee on Oversight and Investigations held a hearing to discuss strategies for addressing cybersecurity. Steve Curren, director for the division of resilience within the Department of Health and Human Services testified that, “in the past five years, few infrastructure issues have challenged the healthcare and public health sector. . . more than cybersecurity.”
Noting that cybersecurity is both “a direct and a secondary threat” since it “can impact everyday patients and healthcare delivery by locking down access to power, important medical information and life-saving equipment,” Curren stated that cybercrime can also “exacerbate an existing emergency when hospitals, EMS, and emergency first responders are already working at a frantic pace to save lives and cannot afford to lose access to communications or risk further delays in their response.”
The House Subcommittee hearing came on the heels of the release of the long-awaited HHS Health care Industry Cybersecurity Task Force report, which established six high-level imperatives by which to organize its recommendations and action items to increase security within the healthcare industry:
- Define and streamline leadership, governance, and expectations for health care industry cybersecurity.
- Increase the security and resilience of medical devices and health IT.
- Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
- Increase health care industry readiness through improved cybersecurity awareness and education.
- Identify mechanisms to protect R&D efforts and intellectual property from attacks or exposure.
- Improve information sharing of industry threats, risks and mitigations.
The timing of both the House hearing and the release of the HHS Task Force Report was particularly important, as they came on the heels of the unprecedented WannaCry global ransomware attack, which infected more than 200,000 computer systems in 150 countries. While U.S. healthcare entities largely escaped unscathed, the WannaCry attack temporarily crippled the National Health Service in Great Britain, impacting patient care by locking doctors and nurses out of patient records, requiring providers to cancel surgeries, X-ray sessions and other nonemergency services, as well as hospitals to divert ambulances to other nearby hospitals.
Additionally, over the past few months, the FBI has stepped up its messaging. For instance, in March, the FBI issued guidance specifically applicable to medical and dental facilities regarding cybercriminals targeting File Transfer Protocol (FTP) services operating in “anonymous mode” to compromise protected health information.
Similarly, in May, then-FBI Director James Comey spoke before the American Hospital Association regarding the FBI’s ability to combat cyber-attacks. He cited ransomware as the top cyber threat confronting health systems today and urged hospital leaders and health systems to report attacks to FBI and government officials, instead of automatically paying ransoms, noting that “Paying up is ultimately harmful because it encourages cybercriminals to keep targeting healthcare organizations.” Comey also encouraged hospital leaders and health systems to maintain backup systems to protect valuable patient data.
While all industries face an increasing threat of attacks on their information systems, healthcare systems are prime targets for computer hacking and ransomware, and the attacks on healthcare systems are rapidly accelerating. Healthcare systems are vulnerable to hacking because of the value of multiple kinds of information held within those systems, and healthcare organizations’ obligation to protect that data.
Under U.S. law, protected health information can be any information about an individual’s health status, the provision of healthcare or payment for healthcare that is created or collected by a “covered entity,” and that can be linked to a specific individual, including a patient’s medical record or payment history. Therefore, a covered entity’s inability to access a patient’s PHI because of a ransomware attack is not only a financial inconvenience for the covered entity, but is also a matter of life or death for patients. Additionally, by obtaining PHI, cybercriminals not only jeopardize patient care, but also may use PHI to commit a wide variety of complex financial crimes. For example, in one case investigated by the FBI, cybercriminals opened health savings accounts and used that money to purchase a variety of goods.
The lasting impact of WannaCry remains a heightened awareness to the prevalence and destructive capability of these attacks, and serves as a strong reminder to the healthcare industry of the necessity of prioritizing the security of their computer systems. Indeed, experts on the issue have stated that the WannaCry attack provides an example of how unprepared healthcare is to defend itself.
HHS also has recently released a useful quick-response cyber-checklist to assist and provide advice on how to best respond to cyberattacks.
This guidance recommends taking the following steps:
- Execute response and mitigation procedures so as to stop the incident from occurring.
- Report the crime to law enforcement agencies.
- Report “cyber threat indicators” to federal and information-sharing and analysis organizations.
- If the breach affects 500 or more individuals report the breach to OCR no later than 60 days following discovery of the breach in accordance with HIPAA breach notification requirements.
Rising federal attention will place an increased spotlight on the healthcare industry to protect PHI more carefully and take steps that show data security is being handled in a thorough and responsible manner.