- The U.S. Department of Health and Human Services on Dec. 28, 2018, announced the release of the "Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients" that provides a "Call to Action" to make cybersecurity a "priority for patient safety" with the goal of moving beyond what has historically been a focus on privacy and data security.
- The Health Industry Cybersecurity Practices focus on five primary cybersecurity threats to health industry organizations and identifies some of the best practices to address each threat.
- While these Health Industry Cybersecurity Practices are meant to serve as a resource and are voluntary, they could potentially lead to a new standard of care for healthcare entities and may well have implications for an organization's legal liability for a cybersecurity or data privacy incident.
Cybersecurity risks to the healthcare sector have been growing exponentially in the last five years and, over time, have come to include not only data security and privacy risks but also operational and systemic risks that could affect the health and safety of patients. The White House, Congress, U.S. Departments of Homeland Security (DHS) and Health and Human Services (HHS), as well as the U.S. Food and Drug Administration (FDA), have increasingly raised concerns about the sector's ability to adequately prepare itself. While entities have long been regulated by the Health Insurance Portability and Accountability Act (HIPAA) for information security and privacy issues, federal regulators perceived that the sector needed an increased awareness of larger cybersecurity risks and the role of nation states and other attackers, whose sophisticated techniques are being used to attack the healthcare sector.
As a result of these growing concerns, over the last five years the HHS has worked to implement a series of congressional mandates to ensure that the sector focused more heavily on these risks. On Dec. 28, 2018, HHS announced the release of the "Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients" (Health Industry Practices). As the report states, it is a "Call to Action" to make cybersecurity a "priority for patient safety" with the goal of moving beyond what has historically been a focus on privacy and data security. The report frames the overall risk, stating, "For the health sector, cyberattacks are especially concerning because these attacks can directly threaten not just the security of our systems and information but also the health and safety of American patients."
The publication was required by law under Section 405(d) of the Cybersecurity Information Sharing Act of 2015. (See Holland & Knight Cybersecurity and Privacy Blog. "Congress Cites Concerns Over Cybersecurity Risks to Healthcare Sector," Oct. 30, 2015.) The effort to create the Health Industry Practices included more than 120 stakeholders, including clinicians, cybersecurity and information technology professionals.
The Health Industry Practices are inclusive of National Institute of Standards and Technology (NIST) standards, as well as HIPAA and the HITECH Act, and must be updated on a regular basis. The document includes a primary overview publication that explores current threats and how to mitigate them. It also includes two technical volumes discussing cybersecurity – one for small healthcare organizations and one for medium and large organizations. Also included were a number of resources and templates, including suggestions for listing and prioritizing threats, draft policies and links to third-party resources.
For those in the medical device industry, the new Health Industry Practices will coexist with current efforts by DHS and the FDA to alert the industry on cybersecurity risks to patients. In 2013, FDA issued a safety communication alert regarding medical devices and issued its first recall in 2017 based on cybersecurity problems in certain medical devices. In October 2018, FDA issued the "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices." (See Holland & Knight Cybersecurity and Privacy Blog, "FDA, DHS Increase Coordination Over Medical Device Cybersecurity Risks to Patient Safety," Oct. 18, 2018.)
Potential Legal and Regulatory Implications
The congressional mandate was meant to build on creation of the 2014 NIST Cybersecurity Framework. The intent was not for HHS to issue new rules, but rather for the private sector to work collaboratively with HHS, DHS, FDA and NIST to create useful, easy-to-read guidance and suggestions for examining an organization's cybersecurity practices.
However, healthcare entities should be aware that over time the NIST Framework has become one of the standard best practices that regulators expect entities to use. While Section 405(d) of Act makes it clear that the Health Industry Practices are meant to serve as a resource and are voluntary, they may eventually become a de facto requirement as well.
Moreover, these Health Industry Practices are consistent with the types of threats that covered entities should already be considering under the HIPAA Security Rule and point to areas of vulnerability that may be relevant for a broad variety of healthcare entities. While not every organization may experience all of the cybersecurity risks in the Health Industry Practices documents, both covered entities' and business associates' HIPAA risk analysis should be re-evaluated in light of these risks. If the practices discussed depart from what an entity is currently doing, it would be worthwhile for the entity to see whether its security practices could benefit from certain amendments. The Health Industry Practices provide useful resources. For example, if an entity does not have a portable device policy, detailed security incident procedures or access control procedures, these documents provide useful tools to close those gaps. HIPAA also requires covered entities and business associates to address the issuance of security reminders. The "threat quick tips" in the main document could be disseminated to workforce members periodically to serve as useful reminders regarding email phishing, ransomware and other threats.
Even though the Cybersecurity Information Sharing Act specifies that the adoption of these Health Industry Practices is voluntary, as previously described, they could potentially lead to a new standard of care for healthcare entities and may well have implications for an organization's legal liability for a cybersecurity or data privacy incident. A healthcare organization that has a damaging e-mail compromise, for example, but has failed to take any of the e-mail protection steps recommended in these documents, may be viewed as not having implemented reasonable security measures. This could lead to enforcement actions by state attorneys general or other federal agencies (such as the U.S. Securities and Exchange Commission) or to civil claims by classes of individual victims or by business partners.
Basic Cyber Threats and Suggested Practices
The Health Industry Practices overview document, designed for non-technical decision-makers, focuses on five of the primary cybersecurity threats to health industry organizations and identifies some of the best practices (described in general terms) to address each threat. The two technical volumes, aimed at information technology (IT) and information security personnel, contain specific practices and detailed sub-practices designed to implement the suggestions in the main volume. The five primary threats, and some of the suggested practices (at a very high level), are:
- E-mail Phishing Attack: Suggested practices include a focus on staff training, implementing multifactor authentication and technical screening tools for malicious content/links.
- Ransomware Attacks: Suggested practices include regular and secure data backups, segmenting networks to protect critical data and systems, and using anti-malware detection and remediation tools.
- Loss or Theft of Equipment or Data: Suggested practices include encryption of sensitive data, and ensuring an organization has an up-to-date asset inventory to be able to benchmark losses in an incident.
- Insider Threats, Accidental or Intentional Data Loss: Suggested practices include audits of those who have access to sensitive data, implementing access control tools, as well as tools to report unauthorized access to critical technology systems, personal health information (PHI) and personal identifiable information (PII).
- Attacks Against Connected Medical Devices: Suggested practices include secure device patching, security risk assessments for devices and vendors and including device security language in contracts.