BlogLine

Cyber-Rx: Prescribing treatment for the cyber-security infirmity of the healthcare industry 

5/22/24

By: Alexander A. Schindler

In February of 2024, Change Healthcare, one of the world’s largest healthcare payment processing companies (accounting for an estimated 15 billion transactions worldwide) announced that it was the victim of a cyber-attack that compromised the medical information of approximately one third of Americans.  

The House Committee on Energy and Commerce, in response, called a bipartisan hearing with cybersecurity professionals and representatives of the healthcare industry acting as the witnesses. The purpose of the hearing was to determine the reasons for the vulnerability of the healthcare industry, and the recipe that will reduce the likelihood and impact of similar events.  

The witnesses maintained that vulnerability of the industry arises from the lack of technical expertise of healthcare professionals to identify or address vulnerabilities in their technology, vertical integration of healthcare entities, the lack of adoption of industry-best practices and optional frameworks, and the lack of a “911” to call when a cyber-strike inevitably lands.

Mr. Greg Garcia, Executive Director for Cybersecurity and a Healthcare Sector Coordinating Council member offered a six-step solution in response: 

1. First, perform a health infrastructure mapping and risk assessment. This step involves mapping critical services and utilities, such as Change Healthcare, which play essential roles in the global healthcare ecosystem. By gaining insights into these dependencies, decision-makers can better understand vulnerabilities and prioritize security measures accordingly. 

2. Second, the results of the efforts of step one should facilitate government’s ability to assess consolidation proposals for mergers and acquisitions against their potential for increased cyber incident and impact risk. In other words, using Risk-Map in tandem with government oversight to address the pitfalls of vertical integration.  

3. Third, hold third-party product and service providers and business associates to a higher standard of “secure by design and secure by default” for technology services and capabilities used in critical healthcare infrastructure.   

4. Fourth, invest in a cyber safety net for the nation’s underserved providers, built on accountability and incentives. To illustrate this proposal, he cited the Department of Health and Human Service’s 2025 budget calls for a $800 million commitment over two years to certain high-need hospitals to implement baseline “cyber performance goals.” After this two-year learning period, penalties will begin to be implemented and enforced against those that don’t meet those minimum standards. “Incentives followed by accountability.” 

5. Fifth, establish a government hotline that will attempt to replicate the rapid response capabilities of data security firms. 

6. Sixth, employ an “all-hands on deck” approach to the implementation of the HSCC 5-year Health Industry Cybersecurity Strategic Plan. The comprehensive plan outlines ten end-state cyber-security goals and twelve objectives to achieve those goals by 2029.  

The steps of this proposal certainly would go a long way in helping safeguard the healthcare industry from a macro standpoint. But on the micro level, there remain a number of important steps healthcare providers can and should take on their own to comply with HIPAA and protect themselves—and their patients—from data security risks. Some of the most common issues we see when assisting clients with HIPAA compliance and data breach response include: 

1. Conducting regular, organization-wide risk assessments (at least annually) and implanting a written risk management plan to address vulnerabilities identified by the assessment. 

2. Implement technical controls to limit access to PHI to minimum necessary and only those with a need to have the information for authorized purposes. 

3. Ensure all ePHI is encrypted at rest and when in electronic transit. 

4. Deploy network and endpoint detection and response tools, and actively monitor them so action can be taken quickly upon any alerts. 

5. Maintain secure and current backups of all critical data. The backups must be segregated from your network so they are unaffected by and inaccessible through any attack on your network and current so that a forced restoration from the backups will result in minimal data loss.  

FMG’s Data Security & Privacy attorneys advise clients on these and other legal issues in the areas of data security and privacy, including compliance, prevention, and incident response. For additional information or questions, please contact Nicholas Jajko at nicholas.jajko@fmglaw.com, Alexander A. Schindler at alexander.schindler@fmglaw.com, or your local FMG attorney.