What the Feds’ Healthcare Security Moves Mean For the Rest of Us

The healthcare industry is under cyber assault.  Few industries have been impacted by recent security incidents quite like healthcare companies.  In May, WannaCry shut down emergency rooms and other medical services for 16 National Health System facilities in the U.K.  Last month, the drug manufacturer Merck experienced a ransomware attack that affected all of their offices in the U.S.  Nuance Communications, a U.S.-based tech company that provides dictation and transcription services to hospitals and health systems, was attacked two weeks ago and experienced an outage that affected some services for over a week.

Unfortunately, the threat isn’t limited to just targeted attacks either.  In May, Molina Healthcare exposed data on an estimated 4.8 million patients for over a month following a website update that inadvertently provided access to patient claim data without requiring authentication.  The incident was reported to security researcher Brian Krebs, who wrote: “It’s unconscionable that such a basic, Security 101 flaw could still exist at a major healthcare provider today … However, the more I write about these lame but otherwise very serious vulnerabilities at healthcare firms the more I hear about how common they are from individual readers.”

The U.S. Department of Health and Human Services has taken notice of the threat.  In June, their Health Care Industry Cybersecurity Task Force released a report titled “Report on Improving Cybersecurity in the Health Care Industry” that identifies key concerns and recommendations.  The report is 88 pages long and was delivered to multiple members of Congress.

Prepare for the Auditors

The report leads with an image at the top of page 1 with big red letters next to a thermometer that reads “HEALTHCARE CYBERSECURITY IS IN CRITICAL CONDITION” with five primary findings:

• Severe lack of security talent
• Legacy equipment
• Premature/over-connectivity
• Vulnerabilities impact patient care
• Known vulnerabilities epidemic

I’m guessing the authors of this report knew that members of Congress weren’t going to actually read an 88 page report on security, and thus this picture was a nice way to summarize the findings – it’s a pretty smart tactic if you ask me.  Additionally, the report defined the entire healthcare “ecosystem” to include not just hospitals and direct patient care facilities, but also encapsulated labs, pharmaceuticals, cemeteries, government offices, research facilities, insurance companies, and other entities that probably don’t consider themselves part of the healthcare industry.

There is plenty of good information contained in the report, but the biggest takeaway for me is the task force’s #1 recommendation:  “Define and streamline leadership, governance, and expectations for health care industry cybersecurity.”  As a veteran of the United States military, I’ve seen (and authored) that kind of  language before so I know that it typically implies someone isn’t doing a good enough job, so a leadership committee is going to write a whole bunch of rules and audit compliance regularly.  As I continued to read the report, sure enough there was the language I anticipated, just three paragraphs down from the header:

“The Health Care Cybersecurity Leader (described in recommendation 1.1) would work within the Department of Health and Human Services (HHS), externally with other federal agencies that impact health care, and other health care sector-related groups to reduce duplication and provide guidance and clarity in the areas of security and cyber risk, best practices, education, and regulations.”

In other words, here comes more regulations, checklists, and auditors.

Security Now or Auditors Later

Cyber security compliance is not a new concept.  Healthcare has been going through HIPAA audits for years.  Financial institutions have to deal with GLBA, Sarbanes Oxley, PCI, and state laws just to name a few.  The federal government and organizations that support it are regularly audited for compliance with regulations like NIST 800-171.  For the most part though, those requirements aren’t extremely difficult to comply with.  In many cases, there’s some opportunity to make assumptions or cases with an auditor as to how you meet a particular requirement that’s generically defined.

The recommendations in this report go a step further than that, opening the door for compliance to be based on a singular security framework – in this case the NIST Cyber Security Framework.  As part of the initial recommendation, the task force suggests that “Use of the National Institute of Standards and Technology (NIST) Cybersecurity Framework would standardize risk assessment and definitions to make sharing cyber information easier and allow the industry to understand the risk across the continuum of data.”  For most healthcare organizations this shouldn’t be too much of a stretch since HIPAA already requires some safeguards.  This precedent opens the door for the federal government to leverage this framework across all other industries though, many of which are definitely not prepared to meet that burden.

The point here is that, quite frankly, organizations simply are not taking basic steps to protect their data.  If they were, you wouldn’t see all these cases in the news.  In healthcare, the regulators have started to “smell the blood in the water” and government is positioning regulations as a method to force the issue.  Once that happens, it won’t be long before other industries with sensitive data feel the compliance wrath.

Is your organization ready? Arraya’s Cyber Security Practice is well-versed in the threats facing modern healthcare providers. Through a combination of real world experience, best of breed solutions, and an understanding of the challenges facing the industry, Arraya is able to help healthcare providers build a hardened barrier ready for always-advancing threats.

Reach out to us today by visiting https://www.arrayasolutions.com//contact-us/. Leave us a comment on this post using our social media presence: LinkedIn, Twitter, and Facebook. While you’re there, be sure to follow us to stay on top of our latest industry insights, special events, and company updates.