The last couple of years have brought a steady rain of bad news for the healthcare industry when it comes to data security: Insurers faced with massive data breaches affecting thousands of health plans and millions of individuals. Hospitals having to choose between paying cybercriminals or suffering critical data losses. The temptation might be to dismiss some or all of this as the reporting of isolated events, a closer look at the issues makes clear that the threats to data are real, the cyberattacks potentially devastating, and the costs involved both significant and growing.
Why Is the Healthcare Industry Under Threat?
The driver for attacks on the healthcare industry is simple: money. In a 2014 private industry notice, the Federal Bureau of Investigation’s Cyber Division indicated that a partial electronic health record (EHR) could command $50 on the black market—a far greater return than the $1 typically exchanged in an illegal transaction for a stolen Social Security number or credit card number. Meanwhile, many healthcare providers have introduced new EHR technology which, according to some third-party observers, the health care industry is ill-equipped to operate securely. The combination of institutional vulnerability and the heightened value of data in the marketplace makes the industry an attractive target for malicious actors interested in engaging in claims fraud, obtaining prescription medications, or advancing sophisticated identity theft activities.
Who Is Watching?
The risks to the security of protected health information—illustrated not only by the high-profile breaches and ransomware attacks that have been reported in the news, but also by a host of other, less-reported-yet-significant breaches experienced by a surprisingly high number of participants in the healthcare industry—come with increased attention by regulators.
In 2012, the U.S. Department of Health & Human Services’s Office for Civil Rights (OCR) launched the first phase of its Privacy, Security, and Breach Notification Audit Program to review industry compliance with the privacy and security rules of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Delayed repeatedly after the first stage of audits, OCR has now launched the second phase of the program. Covered entities and their business associates are all potentially subject to OCR audits of their compliance efforts. Since “covered entities” include not only providers, but also insurers and healthcare plans, many companies that do not traditionally consider themselves part of the healthcare industry may be subject to audit. According to OCR, Phase Two of the agency’s audit program will consist primarily of desk audits, but on-site audits will also be conducted. As with Phase One, OCR plans to use what it learns during Phase Two to develop a final audit protocol for a permanent audit program.
Who Should Worry?
The scope of the risk—both of an audit and a cyberattack—should be understood as encompassing a much broader industry footprint because employer-provided coverage is one of the central methods for paying for healthcare expenses under the modern U.S. healthcare system. Health plans hold the same reservoirs of data as hospitals and other high-profile targets, but the employers that sponsor them rarely think of themselves as part of the healthcare industry; when it comes to paying for care, however, most employers very much are.
What Can Be Done?
Whether to address the risk of attack or the risk of audit, the foremost priority of any company involved with the health care industry should be to establish a robust privacy and security program with policies and procedures designed to meet the legal obligations imposed by HIPAA and tailored to provide safeguards specific to the operations and technology at issue. A hospital needs far different protections for its data than a small employer with an insured health plan and a self-sponsored health flexible spending account, though each is subject to the same rules and regulations. With that said, the following steps are worth considering by any entity that holds health information and is subject to HIPAA:
- Keep data privacy and security policies and procedures current. The laws have changed several times since HIPAA became effective. Policies and procedures should meet the standards set out by current regulations.
- Reassess risks. HIPAA requires periodic risk assessments, and given the rapid changes in both the technology used and the threats faced by industry, it makes good sense for companies that hold protected health information to regularly revisit the sufficiency of their data privacy and security efforts. Once assessed, this analysis must then be coupled with reasonable management tools to mitigate the risks identified.
- Plan for failures. HIPAA requires that covered entities implement protections to prevent violations of data privacy and security, as well as adopt contingency plans for addressing how to handle the worst when it happens. A well-designed program will go a long way to position a company as it handles breaches or attacks aimed at stealing or destroying critical medical data.
- Train and practice procedures to ensure they are adequate for when the critical moment arrives. Policies and procedures cannot protect health data if they are not known and followed. Disaster plans that have not been tested are far more likely to fail when they are pulled off the shelf for the first time at the moment of need.
Cyber threats to data security are not going away, but preparation now will both reduce the impact of a future attack and improve a company’s compliance posture should the government come knocking.