“We have seen the scope and number of cyberattacks in the healthcare industry increasing in the past several years,” says Steve Curren, director for the Division of Resilience in the Office of the Assistant Secretary for Preparedness and Response (ASPR). “These attacks have the ability to cripple a healthcare organization’s operations in a way that is very challenging to prepare for financially.”
To help disseminate news on widespread threats to healthcare organizations that do not have the capital to invest in sophisticated monitoring systems, ASPR and Office of the National Coordinator for Health Information Technology (ONC) awarded a grant in late 2016 to support a national information sharing and analysis center.
Curren says his office also has been working collaboratively with healthcare organizations through the Health Care Industry Cybersecurity Task Force, established by the Cybersecurity Information Sharing Act of 2015. The task force includes 17 subject-matter experts from the private sector as well as four government members. The task force has been addressing the industry’s level of preparedness and what health care might learn from other industries. “Eventually, they will provide recommendations on how the healthcare industry can better protect itself and what information we can share with healthcare industry partners so they can adopt the best cybersecurity practices and recommend a path forward for HHS [the U.S. Department of Health & Human Services] as we continue to address this issue,” Curren says.
Today, more C-suite leaders recognize the vulnerabilities that their organizations face than they did just two years ago, says Lucia Savage, ONC’s chief privacy officer. “People are not just looking at the capital required to do this correctly, which of course is a daunting number, but also the implications for their balance sheets when they fail to do it correctly,” she says. “In the next few years, we will be getting much better cost estimates as litigation ripens and organizations make disclosures on their SEC filings if they are publicly traded. That all elevates the conversation into the C-suite.”
To prepare for ongoing cybersecurity challenges, Savage suggests healthcare leaders read the HHS resolution agreements on potential HIPAA violations. She says the resolutions and corrective action plans show where organizations make mistakes. For example, many fail to perform more than one risk assessment or fail to follow up on the assessment’s recommendations. Others focus their risk assessment on only one aspect of their information systems, such as their electronic health record. Savage also recommends following eight core security preventive techniques, published by the Department of Homeland Security and the Federal Bureau of Investigation.
In September, ONC and OCR published a new security risk assessment tool, available at healthit.gov, especially for small practices and healthcare organizations. “It’s a diagnostic tool for providers to identify where they need to make changes in their policies and procedures or their trainings to improve their workforce’s preparedness and response to cybersecurity,” Savage says.
Curren says one of the best strategies to prevent breaches is robust employee education at every affiliate in an organization. “A system is only as strong as its weakest link,” he says. “Malicious cyberactors can get in through one [information] system in a smaller organization and perhaps make their way to a bigger organization. So we can’t say that there are only certain organizations we need to protect. We really need to protect the whole system, and large organizations may need to assist the smaller organizations to do that.”
Footnotes
a. “Resolution Agreements and Civil Money Penalties,” U.S. Department of Health & Human Services.
b. “Executive Summary of Grizzly Steppe Findings from Homeland Security Assistant Secretary for Public Affairs Todd Breasseale,” U.S. Department of Homeland Security,” Dec. 30, 2016.