The Report on Improving Cybersecurity in the Health Care Industry (“Report”) released this week by the Health Care Industry Cybersecurity (HCIC) Task Force highlights the dramatic increase in cyber threats to data and operational security in the health care industry, and the legal and risk management predicament faced by companies as a result. Although many of the Task Force’s recommendations are directed to federal regulators, the Report suggests several practical steps that companies can take to mitigate both business and legal cyber risks.
As the Report notes, the healthcare sector experienced more cyber incidents resulting in data breaches in 2015 than any other critical infrastructure sector. In addition, the growing prevalence and sophistication of ransomware attacks continues to raise the stakes for attack victims. For the health industry, the harm extends beyond privacy or informational loss; as recent attacks demonstrate, patient safety is often at stake. The global WannaCry ransomware attack last month is merely one of many examples of attacks that can affect patient care through efforts to disrupt or disable hospital networks or medical devices at critical moments.1 The Report provides a number of timely recommendations to help the public and private sectors work together to better manage risk prevention and more effectively respond to the broad and rapidly evolving array of cyber threats.
Section 405 of The Cybersecurity Act of 2015 mandated the establishment of a public private Task Force to report to Congress regarding the preparedness of the health care industry in responding to cybersecurity threats. The Task Force was charged with developing recommendations for securing private entities against cyber attacks and protecting networked medical devices and other software and systems that connect to an electronic health record. The Task Force is comprised of a wide range of industries within the health care and public health sector, including hospitals, insurers, patient advocates, security researchers, pharmaceutical companies, medical device manufacturers, health information technology developers and vendors, and laboratories and representatives from government agencies such as DHS. The Report is the result of a year of work in which the Task Force engaged both public and private sector organizations of all sizes and across sub-sectors to address what it identified as some of the most urgent challenges for cybersecurity in the healthcare industry. The Task Force held four meetings open to the general public and numerous smaller meetings with specific stakeholders to develop its imperatives.2
The Task Force’s Report describes the challenging complexity of cybersecurity for the health care industry, a sector that includes health systems of varying size, single physician practices, public and private payers, research institutions, medical device developers, and software companies coupled with a diverse and widespread patient population. The Report also explains the industry’s open and sharing culture is a double-edged sword: ready access to patient data enables high quality care, but the volume of the data and the large number of individuals with access to it presents unique security and privacy challenges.4
The Report is framed around six high-level imperatives that cover a broad range of areas, including corporate governance, technical security practices, organizational culture, employee and public education, areas for further study, information sharing, and regulatory measures. The six imperatives are:
- “Define and streamline leadership, governance, and expectations for health care industry cybersecurity.”
- “Increase the security and resilience of medical devices and health IT”.
- “Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.”
- “Increase health care industry readiness through improved cybersecurity awareness and education.”
- “Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure.”
- “Improve information sharing of industry threats, weaknesses, and mitigations.”
Legal and Risk Management Implications
The Report’s imperatives include recommendations that, if adopted, are potentially significant in several respects:
- Sector-Specific Standards: The National Institute of Standards (NIST) cybersecurity framework is endorsed as the starting point for more specific healthcare sector data protection standards. Specifically, the Report calls for a “consistent, consensus-based health care Cybersecurity Framework,” noting that prior attempts at guidance such as the NIST-HIPAA crosswalk and guidance from the FDA have been insufficient to guide the larger industry.
- Emphasis on Risk Assessment and Readiness Exercises: The Report highlights that in bringing enforcement actions against companies for violations of the HIPAA Security Rule, “the Office for Civil Rights has repeatedly cited the incompleteness of risk assessments”—from failure to perform them at all to failure to meaningfully incorporate lessons learned and perform vulnerability patches following risk assessments. The Task Force recommends that HHS and NIST develop a health-care specific risk assessment tool together to aid companies with this responsibility, modeled after the NIST Baldridge Cybersecurity Excellence Builder.5 The Report also recommends annual readiness exercises.6 Given the emphasis on regular risk assessments and simulation exercises to prepare for attacks, companies should work with outside counsel and technical experts to incorporate meaningful assessment and incident response testing protocols into their information security preparedness and response planning.
- Medical Devices and Health IT: The Report encourages federal regulators to consider using their authorities to catalyze and reinforce industry practices to better secure medical devices and health IT.7 Companies should prepare for more active supervisory and enforcement activity in the health care cybersecurity space, with regulators focused on pre-incident preparation and risk mitigation, as well as prompt and effective incident response. The FDA has already initiated cybersecurity guidance for medical devices, with a focus on design and governance.8 Companies should work to prepare, implement, and test robust information security programs and cyber incident response plans tailored to meet established legal and technical standards to help to manage risks and reduce legal liabilities. Companies’ technical and compliance functions should work closely with in-house and outside counsel to ensure such efforts comport with legal guidance and, where appropriate, to ensure privilege protection for activities to prepare for regulator scrutiny and otherwise reduce legal risks.
- Information-Sharing: The Report recommends promoting greater sharing of cybersecurity threat information by amending the Physician Self-Referral law and anti-kickback statutes and by encouraging more sharing of information with the private sector relating to insurance fraud and the theft of intellectual property. The Report strongly encourages that Congress evaluate “an amendment to these laws specifically for cybersecurity software that would allow health care organizations the ability to assist physicians in the acquisition of this technology, through either donation or subsidy.”10 As legal rules and government policies relating to cybersecurity information sharing continue to evolve, companies should look for ways to take advantage of new legal safe harbors to capture value from information sharing within the industry and with the government.
- Cybersecurity Leader at HHS and Streamlined Points of Contact for Industry: The Report calls for the creation of a cybersecurity leader role within HHS to align industry efforts for health care cybersecurity. This leader would serve as a single source for the health care industry to go to for authoritative clarification, explanation, and guidance in the cybersecurity context. This new position would help to streamline the various regulators who oversee this space.10
Overall, the Report largely avoids recommending prescriptive regulation, suggesting instead, at least in the first instance, incentives, public-private partnerships, education and awareness programs, and the sharing of best practices. However, if these voluntary and collaborative approaches fail to provide adequate security, it is likely that federal and state regulators will adopt more specific and prescriptive measures. As the cyber threat to the healthcare industry continues to grow, companies across the industry should carefully review the Report and, as appropriate, implement its recommendations.