Increasing Cyberattacks Put Pressure on the Health Sector to Safeguard Data

Health systems have experienced a surge in cyberattacks, highlighting the need for them to constantly reassess security controls in order to reduce the likelihood that hackers will gain access to patient information through phishing scams and other methods of data infiltration by hackers.

‍

The federal agency responsible for enforcing HIPAA regulations is taking on more cybersecurity-related work, and to reflect this, it will add "data and cybersecurity" to the name of its health information privacy division.

‍

The Health and Human Services Office for Civil Rights stated while announcing the reorganization last month that hacking now accounts for 80% of significant data breaches. In 2020 and 2021, the number of data breaches affecting 500 or more persons' unsecured health information increased to more than 600 annually, a trend the OCR claimed is still present.

‍

Jennifer J. Hennessy, a data privacy and cybersecurity attorney with Foley & Lardner LLP said that attackers who try to use ransomware frequently target the healthcare sector because healthcare organizations do hold a lot of sensitive data about people, including demographic information, sensitive medical information, and of course, financial information.

‍

Almost a dozen class action lawsuit proposals have been made in response to a hack using ransomware on Regal Medical Group that compromised more than 3.3 million patients.

‍

More Online Data, More Bad Actors

‍

The growing digitization of health data, which is a welcome move for a sector that relied on paper records and fax machines long into the 21st century, is partly responsible for the rise in hacking. It becomes simpler for health systems to communicate with one another and exchange information as more data moves online. Yet, it can give malicious actors more chances to try to hack those connections and systems.

"Our systems become more complex yearly. As a result, William "Bill" Dougherty, information security officer for the online, integrated chronic care provider Omada Health, said that our attack surface has expanded.

‍

Businesses have gotten better over time at identifying and reporting breaches, which will also result in more notifications of breaches, according to Dougherty.

"People are taking greater precautions,” the chief privacy and regulatory officer of Omada, Lucia Savage, noted that while this is happening, thieves are becoming savvier.

‍

Savage, who before joining Omada served as the Office of the National Coordinator for Health IT's chief privacy officer, claimed that a large number of those attempted hacks are carried out by state-sponsored organizations (ONC).

‍

With reference to the Russian invasion of Ukraine and the tensions between China and the US, Savage stated, "We live in a very unstable world right now. All of that, in a way, "foster[s] the state-sponsored cyberterrorism side of it, which is very, very hard for any corporation to contend with unless they're very well tied with our national security infrastructure."

‍

Phishing Scams

‍

One of the main ways that hackers strike is through phishing emails.

‍

“You need to teach your employees how to spot a phishing email,” Savage advised. "That is how individuals enter. It's not a brute force; I managed to crack the encryption. It's because you clicked on a phishing link, which allowed them to insert some software code.”

‍

One solution that can close security gaps "quite easily" is two-factor authentication, according to Greg Garcia, executive director for cybersecurity at the Health Sector Coordinating Council. The council is a grouping of roughly 375 health organizations, from payers to manufacturers of medical devices, who are collaborating with the HHS to address persistent cyber threats.

‍

"HHS and we are attempting to determine what a more comprehensive cyber risk management approach for the industry that we can be held accountable to looks like,” Garcia remarked.

‍

Garcia said, however, that if any move is made to make these security measures mandatory, it needs to be done in a manner that is cost-efficient.

‍

"Let alone being informed by the government that here are all of the additional cybersecurity controls and technologies you have to invest in to be compliant," Garcia said. “A tiny, rural critical access hospital may already struggle to hire a nurse or purchase a new medical instrument.”

‍

Call for Coordinated Strategy

‍

Earlier this month, the White House unveiled its National Cybersecurity Strategy, which called for a "better coordinated, and more well-resourced strategy to cyber defense."

‍

The Health Insurance Portability and Accountability Act require entities subject to its provisions to implement administrative, physical, and technical safeguards to their protected health information.

‍

Kirk J. Nahra, a co-chair of WilmerHale's cybersecurity and privacy practice, emphasized the significance of performing risk analyses frequently and whenever a new development justifies them.

‍

"I don't think it would have been the correct move usually just say, 'Oh, we just conducted our risk assessment last month, we didn't know about ransomware," when ransomware first became a known danger. Now that we are aware of it, we will give it another year before making any decisions," Nahra said. "You, therefore, modify both when developments call for adjustment and in some common cases. That makes sense to me, too.”

‍

The HIPAA security measure is "really a pretty successful guideline for pushing people regularly update based on what's changing, technologically, societally, and with your organization," Nahra added.

‍

Beyond HIPAA

‍

There are many government organizations in the health sector that deal with cybersecurity, Garcia said, including the Office of National Coordinator for Health Information Technology, and the Food and Drug Administration, which oversees the security of medical devices, the Centers for Medicare and Medicaid Services, as well as accreditation bodies.

‍

"There are a number of operational divisions within HHS that have some bearing on cybersecurity. And it's critical for a sizable, dispersed organization like HHS to pinpoint and ensure coordination of the different regulatory touch points on cybersecurity," Garcia added.

‍

The biggest concerns, according to René Quashie, vice president of digital health for the Consumer Technology Association, are associated with data that is not covered by HIPAA, such as organizations that store and exchange health data but are not HIPAA-covered entities.

‍

There is a "big gray area" that applies to organizations that are not HIPAA-covered but may nevertheless gather, distribute, and use patient data, according to Quashie.

‍

The CTA is in favor of a national privacy law that would supersede all state laws and forbid private right of action.

‍

"HIPAA has performed admirably. HIPAA is insufficient in light of the changes in the health care industry,” as per Quashie.