Law360, New York (July 17, 2017, 12:36 PM EDT) -- On May 12, 2017, a ransomware attack affected more than 200,000 devices in 150 countries. It shut down medical care in the United Kingdom and created confusion for countless other medical systems, as well as private sector and government institutions. The attack, which later became known as WannaCry, preyed primarily on machines running outdated versions of operating systems that were no longer being supported. A little more than a month later, on June 28, 2017, another ransomware attack spread internationally, initially crippling critical infrastructure in Ukraine, and subsequently spreading across the globe. That followed the June 26, 2017, report that Airway Oxygen, a provider of oxygen therapy and home medical equipment had been the victim of a ransomware attack that impacted approximately 500,000 patient records.
These attacks have spurred the health care industry to engage in a difficult, but necessary self-evaluation of whether it is ready for the next attack. This article will examine some of the recent health care industry developments in the aftermath of these ransomware attacks. One lesson that the industry still has to take notice of, and as set forth bluntly in the Health Care Industry Cybersecurity Task Force’s June 2017 report, is that preparation for and defending against the next attack is not just an information technology problem.
The Health Care Industry Cybersecurity Task Force Report
In June 2017, the Health Care Industry Cybersecurity Task Force released its report on improving cybersecurity in the health care industry. The cybersecurity task force was created pursuant to the Cybersecurity Act of 2015 and was, among other things, tasked both with evaluating the health care industry’s readiness to defend against a cyberattack and identifying ways to improve that readiness. In June, the cybersecurity task force published an 88-page report, which detailed its analysis and six primary recommendations for how to improve cybersecurity in the health care sector.
With respect to the current state of the industry’s cybersecurity readiness, the cybersecurity task force concluded that the industry “cannot deliver effective and safe care without deeper digital connectivity.” Complicating the industry’s ability to become more secure are “well-intentioned federal and state laws and regulations that can impede addressing issues across jurisdictions.” Perhaps most critically, however, the task force concluded that “[m]aking the decision to prioritize cybersecurity with the health care industry requires culture shifts and increased communication to and from leadership ...” In short, the cybersecurity readiness of the health care industry “needs immediate and aggressive attention.” To that end, the task force proposed six primary recommendations, many of which are ambitious in scope:
1. Define and streamline governance and expectations for cybersecurity. This first recommendation focused almost exclusively on a proposal that the U.S. Department of Health and Human Services take the lead in creating industrywide efforts and requirements for cybersecurity in the health care space. Doing so, however, would also require a harmonizing of existing laws and regulations (federal and state). In short, the task force recommended that the laws that govern health care cybersecurity be made more clear and streamlined as opposed to the patchwork of state and federal regulations that exist currently.
2. Increase the security of medical devices and health IT. This next recommendation mostly focused on the software and hardware that enables the health care industry. The recommendations in this category included moving sensitive data off legacy systems that may no longer be supported. The task force also called for the creation of security standards and life cycles for medical hardware and software.
3. Develop internal awareness and industry standards. Next, the cybersecurity task force recommended the creation of standards — internal and industrywide — that would serve as benchmarks for appropriate cybersecurity across the industry. Recognizing that a one-size-fitsall approach would not work in a diverse industry such as health care, the task force recommended the creation of cybersecurity models for large, medium and small companies.
4. Improved readiness through education. Of all of the cybersecurity task force recommendations, this one speaks most directly to the needed “culture shift” in the health care industry. The task force recommended that companies develop cybersecurity awareness programs for executives (officers and directors of companies), internal communication and education mechanisms for employees, education programs for patients, and a method through which a private-public partnership could be created so that information could be shared. In short, the task force recommended that those in the sector pay more attention to — and discuss more openly — cybersecurity.
5. Protection of research and development. The cybersecurity task force also focused on the theft of intellectual property, which is a valuable commodity in the health care space. In particular, the task force suggested that regulators and companies in the health care industry should work to secure big data sets and other intellectual property.
6. Improve information sharing of threats, risks and mitigations. One of the more direct fallouts of the WannaCry attack was the recognition that there was no consistent mechanism through which regulators and impacted companies in the health care sector felt they could freely share the information they had about the attack and how it worked. While an ad hoc approach eventually developed when responding to the WannaCry incident, the cybersecurity task force recommended a uniform, robust system pursuant to which there could be a public-private sharing of cybersecurity threats and mitigants.
The Health Cybersecurity and Communications Integration Center
While the task force was finishing its report, HHS was busy planning for the launch of the new Health Cybersecurity Communication Integration Center (HCCIC), which was modeled off of the U.S. Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC). The purpose of HCCIC — once operational — is to provide a vehicle through which industry participants can share information regarding cyber threats.
HCCIC has, however, come under bipartisan assault. Members of the Senate Homeland Security and Governmental Affairs Committee swiftly denounced HCCIC as creating unnecessary duplication and more government bureaucracy. The issue, members of the Senate committee explained, was that it seemed that NCCIC should be able to deliver the same services as HCCIC. And moreover, having both HCCIC and NCCIC could potentially create confusion in the industry as to which center to work through, leading to the potential failure to communicate critical information about cyber threats across industries. The chair and ranking member of the Senate committee have sent a letter to the HHS secretary, openly questioning the need for HCCIC. It therefore remains to be seen whether HCCIC will have staying power.
OCR Cyberattack Checklist
While more sophisticated companies may have a robust cyberattack response plan in place, many companies, unfortunately, do not. Thus, when an attack occurs, companies often lose precious hours, days or even weeks, as they struggle to understand what happened and the scope of the attack. To help respond to a cyberattack, the Office of Civil Rights recently published a short checklist of actions to take upon learning of a cyberattack on your data.
First, patch your systems; make sure that whatever vulnerability was exposed is shut off or closed. Second, OCR recommends reporting the crime to the appropriate authorities. Third, report data regarding the cyberattack to federal and information sharing analysis organizations. Fourth, report the breach as required by the Health Insurance Portability and Accountability Act. Fifth, take appropriate steps to mitigate the harm to patients from the attack.
While undoubtedly useful to have the checklist from OCR, the reality of a cyberattack is that it is not one-size-fits-all, and therefore each entity’s response to a cyberattack likely will be different so as to meet the specific type of threat with the appropriate response. In particular, organizations will need to make case-by-case decisions as to whether and when to report incidents to law enforcement or regulatory authorities.
What to Make of it All
Cybersecurity threats are real in the health care sector. The cybersecurity task force, however, identified what may be the single largest impediment in the industry being prepared for the next attack: a commitment to take what has traditionally been considered an “IT problem” as a more serious, direct liability threat to companies big and small. While the cybersecurity task force has put forward certain recommendations that may help affect a sea change in the industry so that participants can be more adequately prepared for the next attack, there are some simple, cost-effective changes that companies can perform today that would help them be more prepared for the next attack:
- Update Operating Systems and Retire Legacy Systems: Like WannaCry, most cybersecurity threats focus on low-hanging fruit: systems that are using operating systems that are no longer supported by their designers. These older systems leave exposed security flaws and gaps that hackers and others can readily exploit. Updating operating systems or legacy systems to work on a supported set of software — not necessarily the newest — can go a long way in protecting a company against a cyber threat.
- Test, Test, Test: Test your infrastructure and your employees. Make sure that the systems are responding the way they should to pings and other attempted penetrations. For your employees, send fake phishing emails and see if people take the bait. If they do, direct them to a training page, where they can learn the risks of their actions. Make sure that both your infrastructure and your people know how to identify and appropriately respond to potential attacks.
- Plan: While many large companies undoubtedly have an incident response plan, even smaller companies should have one. What happens when you detect an attack? Who is notified? How? All of these questions should be clearly answered in an internal document that is distributed to the appropriate personnel at the company. Being prepared and knowing how to respond is half the battle when the next cyberattack occurs.
As evidenced by the numerous attacks in the past quarter, it is likely that the volume of cyber incidents will increase before it decreases. While the health care industry may always be a target of cyber threats because of the volume and type of data that is collected, one way to reduce the number of potential threats is to stop making for such an easy target. WannaCry should serve as a wake-up call to the industry. It is past time to prepare for cyberattacks.