Updates to the Health Insurance Portability and Accountability Act (HIPAA) security regulations are currently underway with new cybersecurity requirements. Additionally, the Department of Health and Human Services (HHS) is issuing new guidance for healthcare providers to help them better prepare on how to best respond to cyber threats.
This update is designed to help the healthcare sector build more resilient systems. HHS Healthcare Sector Cybersecurity has published a concept paper that provides voluntary healthcare-specific cybersecurity performance objectives (CPGs) to help organizations prioritize high-impact cybersecurity practices. This practice is designed to improve cyber resiliency and ultimately protect patient health information and safety. “Hackers are getting smarter and smarter,” said Dottie Bollinger, a compliance consultant with Healthcare's Compliance Group at Green Lawn, New York. “I believe that cyberattacks are a bigger threat than ever before, but unfortunately the idea that ‘it won’t happen to us’ remains prevalent.”
The healthcare sector is particularly vulnerable to cybersecurity risks, and the risks to patient care and safety are high. Healthcare facilities are attractive targets for cybercriminals due to their reliance on technology and sensitive data. HHS tracks large-scale data breaches through its Office for Civil Rights (OCR). According to the latest data, reported large-scale breaches increased by 93% from 2018 to 2022 (from 369 to 712). During the same period, large-scale ransomware-related breaches reported to OCR increased by 278%.
“We have seen many well-intentioned medical practices and providers build strong compliance programs and neglect cyber protection. There's a lack of expertise and funding,” Bollinger said.
Recent cyber incidents affecting hospitals and health systems have caused widespread healthcare disruption, with patients being transferred to other facilities. These attacks impact local emergency departments, radiology departments, and cancer centers.
Healthcare organizations now have access to numerous cybersecurity standards and guidance. HHS has incorporated input from industry to establish voluntary sector-specific cybersecurity performance goals. These goals provide clear direction for the industry and help inform potential future regulatory actions. Healthcare and public health sector-specific cybersecurity performance objectives (HPH CPGs) are designed to help healthcare organizations better prioritize high-impact cybersecurity practices.
HHS envisions establishing two programs. One is to include upfront investments to support high-need health care providers, such as under-resourced hospitals. Funding will be allocated to cover upfront costs associated with the implementation of “mandatory” HPH CPGs. The second program provides incentives to encourage all hospitals to invest in advanced cybersecurity practices.
Given the increasing risk profile of hospitals, HHS wants to enable all hospitals to meet departmental CPGs in the coming years. HHS proposes to leverage additional authority and resources to incorporate his HPH CPG into existing regulations and programs that inform the creation of new enforceable cybersecurity standards.
An update to the HIPAA Security Rule is scheduled for this spring and will include new cybersecurity requirements. Some of the ideas discussed include allowing patients to directly inspect their protected health information (PHI) and take notes and photos of their PHI. Another change being discussed is reducing the maximum period for providing access to PHI from her 30 days to 15 days.
Although the pending changes have been discussed for quite some time, the operational impact for most providers will be minimal, Bollinger said. “I think these changes that make it easier for patients to access their PHI are actually codifying service elements,” she said. “That's a patient's girlfriend's PHI. We live in a technologically instant world and now we have to act quickly in different ways to provide quick access.”
A serious concern is tracking patient data. Through data collection and use, you may violate HIPAA privacy requirements. “As a healthcare consumer who is familiar with security processes in general, I am aware that aggregated data prevents someone from the government, insurance company, health system, etc., from making inferences about me based on trends in patient data,” Bollinger said. “I'm concerned that this may be possible,” he said. . In the medical field, he is even more concerned that the presence of AI is putting personal privacy at risk. ”
Ryan Witt, vice president of industry solutions at Proofpoint in Sunnyvale, Calif., recommends that clinicians follow HHS's 405(d) program guidance. He aims to develop consensus-based best practices and methodologies to strengthen the cybersecurity preparedness of the medical and public health sectors. “His upcoming HIPAA bill is very likely to closely follow 405(d) recommendations to strengthen cybersecurity resiliency,” Witt said.
The healthcare industry remains vulnerable due to the high value of its data. “The healthcare industry also stores disproportionately large amounts of data, which often must be stored for long periods of time, increasing the size of the attack surface,” Witt explained. did. “The industry also has many third-party employees and a significant number of remote workers, both of whom often use employee-owned devices, complicating attack vectors.”
We need to take proactive steps to build more resilient systems for healthcare providers. Cyberattacks against medical institutions are currently occurring from all over the world, and these attacks are escalating. “The risks are greater than ever, and the resulting negative impact on patient care is of grave concern,” Witt said. “The guidance available to the healthcare industry, from, for example, 405(d) teams, is clear, practical, and extremely valuable. The healthcare industry is currently making significant investments to improve its cybersecurity preparedness. We need to catch up and match other industries that have.”
