Cyberattacks and breaches are continuing to rise at an alarming rate in healthcare. According the Office for Civil Rights (OCR) breach portal, the number of breached individual records increased by 26% in 2021 to over 40 million.
Ransomware attacks on the healthcare industry have increased by 300% over the past two years. These attacks can be extremely disruptive and expensive. There have been multiple instances where, as a result of a ransomware attack, ambulances were diverted from emergency rooms, test results were delayed, and care was interrupted.
Last year, tragically we also witnessed the first lawsuit linking a ransomware attack to a patient death. It alleged that a baby was born with severe brain injury and eventually died because the doctors did not have access to monitors and did not realize that the umbilical cord was wrapped around its neck.
Healthcare organizations are struggling to transfer cyber risk, as cyber insurance companies are experiencing unprecedented loss ratios and have simultaneously raised premiums, lowered maximum coverage, and placed new requirements on organizations to even be considered for a policy.
And it’s not only healthcare providers that are feeling these effects.
Cyber attackers have been targeting digital health and health IT companies to get to valuable electronic protected health information (ePHI). Many technology companies have lost customers as a result of a breach or ransomware attack, and some even have filed bankruptcy following awards in lawsuits, or due to losing key customers.
The bottom line is that cybersecurity is not an IT problem. It is a top business risk for all healthcare organizations, including digital health and health IT companies.
Increasing Demands
Given the industry’s elevated cyber risk, major challenges and demands have emerged for digital health and health IT companies that provide services or receive ePHI on behalf of providers or payers.
Third-party breaches have resulted in significant cost and disruption to covered entities. As a result, providers and payers are demanding evidence of strong cybersecurity and HIPAA compliance programs from their vendors.
Additionally, investors are becoming more focused on cybersecurity risk. Health IT and digital health investors are no longer checking the box on HIPAA and cybersecurity – they are doing more rigorous diligence. Many are requiring as part of their investments that the company implement recognized cybersecurity practices and conduct ongoing risk analysis and risk management.
A breach or a ransomware attack can not only disrupt operations and result in the loss of customers, but it can also damage company reputation and brand equity, and ultimately the company’s market value when it comes time for an exit.
Responding to Those Demands
To aid your thinking on how to respond to these demands, I’ll briefly review some of the key elements of an effective cybersecurity and HIPAA compliance program.
CISO/Leader
Effective cybersecurity programs require strong leadership from an experienced individual who not only is knowledgeable about HIPAA and the technical aspects of cybersecurity but is also someone who can drive change in the organization.
Whether full-time or fractional, your organization needs a Chief Information Security Officer (CISO) who will be able to understand the organization’s needs and objectives, facilitate discussions about risk, and create and execute a strategic roadmap and tactical workplans to achieve those goals.
With a shortage of talent in the industry, finding an experienced healthcare Information Security leader is not an easy task; however, it is essential for success.
Governance
In addition to a strong leader, your organization must have strong governance. The organization needs to decide how it will measure risk, and how it will make decisions about which risks it is willing to accept. Who in the organization will be responsible for cyber risk management and compliance? And who will, from an executive level, provide oversight and support?
You will need to establish robust policies and procedures that ensure that the organization is in compliance with HIPAA and other regulations, your customer requirements and contractual obligations, and recognized cybersecurity practices.
If you are a digital health company, you will also want to establish security into your software development lifecycle to ensure your applications are developed securely and acceptable to your customers in response to their security questionnaires.
HIPAA
If you are a business associate under HIPAA, or enter into business associate agreements (BAA), you must periodically evaluate your organization’s compliance under the HIPAA Security Rule, and potentially HIPAA Privacy and Breach Notification Rules as well.
To do this, your organization should evaluate and document whether it has the appropriate policies and procedures in place, that it is following them, and that they are reasonable and appropriate. Any gaps should be documented and remediated.
Risk Management
The cornerstone of your security program is risk management. OCR has long stated that risk analysis and risk management are the most important parts of your security program, and in fact in 90% of the cases where there has been a fine or penalty following a breach of ePHI, OCR cited risk analysis as a critical failure.
- The first component of your risk management program is framing –
- How are you going to measure risk within your organization?
- Who is going to make those decisions?
- What is your risk tolerance level?
- The second component is assessing risk. The risk analysis under HIPAA is a very specific thing with nine key elements. It starts with documenting your information system inventory – all applications create, receive, transmit, or store ePHI. You must identify all of the reasonable vulnerabilities and threats to those applications and their components, evaluate security controls, assess likelihood and impact of a breach, and from there, make a risk determination.
- Thirdly, you need to respond to risks. How are you going to treat risks that fall above the threshold – do you accept, avoid, transfer and remediate? If remediating, you need to create, execute, and document a remediation plan.
- And finally, you need to monitor the effectiveness of your controls over time to ensure they continue to mitigate risks to appropriate levels
The quality of your risk management program will depend on the people, process and technology you are using.
Doing risk analysis and risk management well requires expertise, and these key processes must be performed on an ongoing basis.
Security Engineering and Application Security
If you are a health IT or digital health company, designing and implementing security into your products will be critical to your sales efforts, especially if your products receive or transmit ePHI.
In order to build secure products, you must have security embedded as part of the software development lifecycle. Appropriate security controls need to implemented at the application and network level.
And if your applications sit in the cloud, it is important to remember that security and compliance is a shared responsibility between the cloud provider and the application owner. There is an extensive amount of configuration work that the application developer must perform as part of their security responsibilities.
Cloud security is a complex and rapidly evolving area, that requires expertise and constant attention.
Technical Testing
Technical testing is a key a requirement of HIPAA as well as an important practice to identify vulnerabilities and test your defenses.
It’s important to scan for vulnerabilities on an ongoing basis. Even more important, however, is to perform external and internal penetration testing. Penetration testing and more advanced red teaming will simulate cyberattacks and test your organization’s ability to detect and defend against these attacks.
And with phishing being one of the top vectors for ransomware attacks, it’s critical to perform periodic social engineering tests to evaluate the effectiveness of your security awareness program
Incident Response
Finally, you need to be ready in the event that there is a successful ransomware attack or breach. Does your organization have an incident response plan, a disaster recovery plan and a business continuity plan? Have they been tested?
You don’t want a ransomware attack to be the first time you’ve thought about who you need to call, or whether you pay the ransom. These are questions you want to answer first in a tabletop breach or ransomware exercise so when the real thing happens you are prepared.
Having a well-designed incident response plan in place and testing that plan can ensure that you are prepared to minimize the impact of incidents and breaches on the organization.
The Dilemma: Buy, Build, or Partner?
Meeting all of these demands presents with digital health and health IT company leaders with a dilemma. On one hand, addressing the demands is mission critical to the business, but on the other, most organizations don’t have the resources, expertise or bandwidth to build and execute a mature cybersecurity and compliance program.
So what are your options?
The first option is to build the program internally. This requires hiring an experienced program leader or CISO as discussed earlier. The first thing the leader will likely want to do is hire in a Security Analyst. Additionally, there will be costs for attorneys or regulatory consultants to develop policies and procedures. The security team will still need to rely on third parties to conduct compliance assessments and risk analysis and need to purchase tools. Generally, building a program internally can cost $300K – $500K on an annual basis.
The second option is to piece a program together by doing various elements separately. While this may appear to be more cost effective, the reality is it is less efficient, as often the different pieces don’t always fit well together. An approach like this might check some boxes, but it does not result in an ongoing program that will respond to emerging needs and changes, or scale with your company’s growth.
The best option is often to partner with an expert in the field that can provide the program leadership as well as all of the components of the program as a managed service. We have been doing this work for our customers over the last two years under our ClearAdvantage® program, which provides organizations with the benefits of an integrated and efficiently executed, best-in-class cybersecurity and HIPAA compliance program at 25-50% the cost of traditional approaches.
You can read about how ClearAdvantage has helped the young digital health company CaringWays position itself for growth.
I invite you to reach out to me with your questions at steve.cagle@clearwatercompliance.com. Our team is happy to provide you with a free consultation to help determine the cybersecurity and HIPAA compliance solution that will best enable your growth strategy.
