The health sector is under siege with cybersecurity threats. Some of the largest announced cyber attacks in U.S. history have targeted organizations in the health industry. Regulators have taken notice of this evolving cyber threat landscape, and have increased enforcement actions in an effort to motivate those who manage health information to enhance their cybersecurity protections. The U.S. Department of Health and Human Services has ramped up enforcement of the HIPAA Security Rule, and the Federal Trade Commission (FTC) has made clear that entities responsible for consumer health data must employ “reasonable” security measures. Attention to cybersecurity is also increasing at the Food and Drug Administration (FDA), which held a two-day cybersecurity workshop earlier this year and has issued guidance on both premarket and post-market cybersecurity management for medical devices.
Cybersecurity is a business issue, not a technology problem. Organizations need to take a holistic approach to cybersecurity risk management. Regulators have already signaled that cybersecurity risk assessments are foundational to meeting legal requirements, and such assessments often define the baseline for reasonable security within the organization. Cybersecurity risk management involves identifying priorities and allocating resources effectively and appropriately. In an environment where many breach or cybersecurity incidents trigger notification obligations, entities can better control the narrative regarding what was reasonable at the time if they’ve regularly monitored their cybersecurity risk profile and allocated resources accordingly.
Recent studies suggest that the vast majority of health organizations have experienced data breaches and significant cybersecurity incidents. Health data is valuable and individual patient information can fetch premium prices on the black market. Criminal attackers, domestic and foreign, most likely target the health sector to better understand the healthcare system in order to commit fraud or other illegal acts and as part of industrial espionage programs. Robust economic growth in the health sector makes information on potential mergers and acquisitions, strategic partnerships, and future ventures particularly lucrative targets for malicious actors.
Efforts to adequately protect health systems and data from cyber threats will require more than government enforcement actions against potential victims of health-related cybercrime. Clear guidance, industry standards for information sharing about cyber threats, and tools to provide and enable preventive measures could improve cybersecurity in this essential part of the nation’s critical infrastructure. The recently passed Cybersecurity Act of 2015 calls on HHS to examine the health sector’s cybersecurity preparedness and provide a report to Congress. And Congress continues to explore ways to require cybersecurity considerations as part of health IT and interoperability initiatives. HHS is also collaborating on efforts to create a health-specific implementation guide for the NIST Cybersecurity Framework. In Europe, health is one of the essential services that will be governed by the coming Network and Information Security Directive.
Cybersecurity risk management is most effective when it is integrated into an organization’s enterprise-wide approach to managing risk. Businesses operating in the health sector can help manage cybersecurity risks by assessing their practices and:
- Identifying critical assets, including regulated healthcare data (e.g., protected health information);
- Evaluating cybersecurity controls currently in place to protect such assets;
- Documenting overall cybersecurity risk profile;
- Identifying areas for improvement, recognizing that adequate cybersecurity is a moving target requiring periodic reassessment;
- Confirming cybersecurity controls are in place and operating effectively, recognizing that cybersecurity is not a set-and-forget activity;
- Reviewing the approach to cyber threat sharing; and
- Elevating cybersecurity within the organization, for example with board-level reporting, involvement of senior management, and a dedicated committee/team focused on managing cybersecurity issues.
Addressing cyber threats is not a set-and-forget activity, and there is no panacea for cybersecurity. Integrating a cybersecurity program into the enterprise’s broader risk management activities helps ensure that organizations are well equipped to implement and maintain reasonable cybersecurity measures and meet legal obligations for safeguarding health data.