Blog

Healthcare Industry Needs to Get Back to Basics

Cybersecurity breaches and incidents are starting to feel like Groundhogs Day. Who do we have today? None other than HealthCare.gov, with the Washington Post recently reporting that HealthCare.gov was hacked compromising approximately 75,000 individual’s private information.

HealthCare.gov is the system through which individuals can obtain healthcare coverage under the Affordable Care Act. As of 2018, approximately 10 million people currently use the ACA to obtain private coverage. Not surprisingly, as part of the coverage process, individuals must provide personal identifiable information (PII) including name, address, social security number, income and status of citizenship or immigration status. Literally a treasure trove of PII for the hackers involved. Interestingly, officials are stating that the public portal was not compromised as part of this recent hack; instead, only the portal where healthcare agents and brokers access the database was compromised. As usual, the affected individuals will be notified, and credit monitoring offered. So, here we are again.

And the breach of HealthCare.gov is not the only HIPAA related security news, Anthem, Inc., an independent licensee of the Blue Cross and Blue Shield Association, just agreed to a $16 million settlement with the the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) related to potential violations of HIPAA’s Privacy and Security Rules after a series of cyberattacks led to the largest U.S. health data breach in history. And it was not just the breach, but the OCR’s investigation that showed Anthem failed to comply with numerous regulatory requirements under HIPAA including conducting an enterprise-wide risk analysis, having insufficient procedures to regularly review information system activity, failure to identify and respond to suspected or known security incidents, and failure to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI.

It is no surprise that the healthcare industry is an enormous target for cybercriminals. Healthcare organizations collect, store and process the most valuable data to hackers. Naturally it follows that this highly valuable information is relentlessly pursued. The past five years alone have seen healthcare data breaches grow impacting almost 80 million people. From diseases to treatment records this gossip-column worthy bit of data can be used to cobble together a person’s “identity” which makes it easier for identity thieves to become “you”. With all of this pressure on the healthcare industry, and with the added benefit of being in an industry that regulates security and privacy (i.e. HIPAA, the HITECH act and the Omnibus Rule), one would imagine that organizations in this field would be the leaders in security, right? WRONG (unfortunately)!

The healthcare industry as a whole ranks 9th out of all industries in overall security. That’s right the industry with the most attacks does not even crack the top 5 in its overall security report card. Worse yet, this lack of security is costing everyday consumers. A 2017 survey from Accenture found that healthcare data breaches have affected nearly 26% of Americans. Also, of those affected by healthcare data breaches, half of those individuals eventually became the victim of medical identity theft- costing them an average of $2,500 in out-of-pocket costs. What is even scarier is that of those individuals surveyed, almost half of those people learned of the breach themselves and not through any data breach notification from the affected organization or law enforcement.

And, unlike a certain software or application that a user has the freedom of choice, individuals do not have a lot of choice to not use healthcare. The healthcare industry is about helping people. That’s why one becomes a doctor, a nurse, a researcher, a therapist etc. But we need to start looking at healthcare and healthcare organizations from an enterprise-wide perspective and stop dealing with security and privacy in the realm of just the IT department. We also need to stop thinking about cybersecurity as “security” but rather risk management. The only way to manage risk is to understand it and take appropriate steps to minimize it as much as possible.

A good friend of mine says that HIPAA privacy is not a suicide pact. In order to comply with HIPAA privacy regulations, you must do your best always keeping in mind the patient and her/his treatment. I submit that HIPAA security is also not a suicide pact nor is it a zero sum game. We accept some risk by nature of the fact that we do not live off the grid in a deserted island or isolated mountain top.

This past year, the Office of Civil Rights (OCR), which regulates HIPAA, conducted a series of compliance audits on HIPAA covered entities and found widespread non-compliance. This non-compliance was not based on technological failings for cybersecurity defenses, but the failure of these covered entities to conduct an enterprise-wide risk analysis. In short, they failed to understand security risks, gaps in their defenses and then address those gaps. Technology is great. It helps with a lot, but cybersecurity is not all about technology. In fact, most of it is not. A company can have the best firewall in the world with the best antivirus software imaginable, but unless it has a well-trained staff who understand the nature of the threats the organization faces, it won’t really matter because a hacker only needs ONE happy clicker and the game is up. And the happy clicker isn’t the only problem, many data breaches are caused by employees leaving unencrypted laptops in risky locations- vehicles, coffee shops and airport security, to name a few.

Creating policies and procedures, and training on those documents is key. Having a set protocol to report a suspected issue by the employees and deploying a policy of frequent audits of access logs and the use of automated monitoring solutions and user behavior analytics. Techniques that incorporate technology AND training AND the person are the only effective means to combat this threat.

Take security back to the basics. Understand the nature of the threat, understand your systems and how your employees use those systems. By combining the basics with technology, we can stem the tide (and maybe reverse it) on data breaches. Oh, and there is the added benefit of HIPAA compliance and avoiding fines. However, until these healthcare organizations embrace the basics, data breaches will continue. When it comes to compliance, risk management and resiliency- luck favors the prepared.

*****

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind. If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.