If you are like most of the healthcare industry, the answer is “yes” according to a recent study by the United States Department of Health and Human Services. The department’s Health Care Industry Cybersecurity Task Force report, a result of the work of 21 cybersecurity experts, was issued in late spring and found that this most private of information is at significant risk of being compromised by malware or cyber hacking. “HHS task force says healthcare cybersecurity in ‘critical condition’,” according to Jessica Davis from Healthcare IT News.
The task force reported that the health care industry was breached by cyberattacks more often than any other industry in 2015. Combined with the increase in ransomware attacks the following year, the report found that sensitive patient information is at high risk of attack. The report listed several contributing factors. These include the idea among smaller entities that they are relatively safe from these attacks, because attackers target larger health care providers. This has proven false. Because the health care industry is so interconnected and interdependent, the industry’s cyber safety is only as “secure as the weakest link.” Id. Basically, if the would-be attacker can gain access to anyone within the system, it can probably access all who do business within that system. Furthermore, the report found that due to staffing shortages, three-fourths of hospitals do not have anyone dedicated to these security issues.
The report did offer more than 100 suggestions for correcting the flaws and providing a more secure environment for sensitive data. The report recommended the development of a system specific to healthcare cybersecurity and for the Secretary of the Department of Health and Human Services to appoint a leader to work with federal, state and healthcare representatives. There should also be an effort to more fully share threat information and tailor such information for easier use by smaller entities.
The types of ransomware attacks of concern in the HHS report were explained last year by two University of Maryland, Baltimore County cybersecurity experts in reference to an incident within the healthcare industry. Anupam Joshi, the director of the campus’s Center for Cybersecurity and chair of the department of computer science and electrical engineering explained that “ransomware takes over a computer system and holds it hostage until a demand is met [. . .] in exchange for returning access to the threatened data.” He indicated that the ransomware is essentially “unbreakable”. Id. The assistant director of the campus’s Center for Cybersecurity and director of the graduate program in cybersecurity, Rick Forno, recommended that entities regularly backup systems and data. He also warned that organizations cannot guarantee that encrypted backup files are free from ransomware and malware because it can be difficult to detect. Id.
Being in compliance with HIPAA rules for electronic data storage and transfer may help prevent some cyberattacks, but it will not halt all of them. Keeping security programs updated, regular reviews of organizational strengths and weaknesses, and keeping abreast of new threats and new tools for addressing those threats can strengthen an entity’s ability to combat cyberattacks. However, if a data breach does occur, every organization should be prepared to address the practical, financial and legal ramifications, including any HIPAA breach reporting requirements. Id.
Little Health Law
Our business and healthcare law firm advises and represents FQHCs, hospitals, medical practices, physicians and other healthcare providers. If you have questions about this post, contact us at (404) 685-1662 (Atlanta) or (706) 722-7886 (Augusta), or by email, info@littlehealthlaw.com.
** Disclaimer: Thoughts shared here do not constitute legal advice. Please consult with an attorney to discuss your legal issue.
Sources: