Yesterday’s Cyber Risk is not Today’s Cyber Risk
Over the past 10 years, the healthcare industry’s understanding of cyber risk has evolved through four distinct phases, emphasizing four different aspects of cyber risk. Understanding these four different phases gives context for where healthcare cyber risk began and where it is now.
HIPAA was enacted in 1996.i The HIPAA Privacy Rule went into effect in 2003 and the HIPAA Security Rule went into effect in 2005.ii In the early 2000s, HIPAA enforcement efforts were complaint-driven and reactive, resulting in minimal compliance efforts. That changed with the passage of the HITECH Act. The HITECH Act changed breach reporting requirements, expanded the types of entities subject to HIPAA’s privacy and security rules, and increased penalties for lack of compliance and increased enforcement activities. These changes ushered in the first phase of cybersecurity in the healthcare industry: The Compliance phase (figure 4.1).
Figure 4.1 The Evolving Focus of Cyber Risk in the Healthcare Industry
Source: Bob Chaput, Executive Chairman, Clearwater.
In 2015, data breaches at Anthem, Premera Blue Cross, Excellus BlueCross BlueShield and others exposed the data of more than 193 million individuals.iii These breaches reinforced the idea that cybersecurity in healthcare was about more than simply HIPAA compliance. It became clear that cyber risk was a security issue. Healthcare organizations increased their efforts around security and cyber risk management, ushering in a new phase of cyber risk focus: The Security and Cyber Risk Management (CRM) phase.
Around the same time as these data breaches were occurring, connected medical devices were gaining acceptance—and providing new opportunities for cyber attackers. As early as 2011, security researcher Jay Radcliffe demonstrated how he could remotely hack into and disable an insulin pump.iv In 2013, the Food and Drug Administration (FDA) issued guidance on cybersecurity and medical devices. In 2017, the FDA recalled an implantable pacemaker over concerns it was vulnerable to hacking.v By 2018, incidents like these led to a new cybersecurity focus within the healthcare industry; I call this the Patient Safety phase.
Now, as we begin 2021 and beyond, the healthcare industry has entered a new phase: Medical Professional Liability. There has not yet been a highly publicized, cyber-driven, medical malpractice lawsuit, but progressive organizations know that it is coming and they are working hard to get ahead of this trend. More and more organizations are connecting the dots between cyber risk, patient safety and medical professional liability. They are rightly beginning to view Enterprise Cyber Risk Management (ECRM) as an enterprise risk management issue, not an IT problem, and elevating ECRM’s role within the organization accordingly.
ECRM Interfaces with Many Layers of Regulations
Healthcare organizations are subject to a number of privacy, security and breach notification rules that range from local to state to federal to international regulations. This means that your ECRM program is not only an important business requirement, but it is also required by law. Some of the key sources of regulations related to data privacy, security and breach notification include the following:
- HIPAA—HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996. HIPAA’s Privacy, Security, Enforcement and Breach Notification Rules, as articulated in the Omnibus Final Rule, which was published in 2013, provide the foundation for the healthcare industry’s privacy and security laws.vi It is the standard against which HIPAA compliance is measured. The privacy, security and breach notification rules contained in HIPAA apply to PHI, a broad category that encompasses many different types of clinical and administrative data. PHI is defined as “individually identifiable health information.”vii Every organization that “creates, receives, maintains, or transmits protected health information” is required to comply with HIPAA.viii
- State Laws—As of this writing, the U.S. has not enacted any single, overarching data protection legislation.ix States, however, are another matter. All 50 states, and the District of Columbia, require that residents be notified in the case of a data breach of practically any type of personally identifiable information (PII), including PHI.x State definitions of protected information and breaches, and regulations around notification, vary widely. One trend that is evident across state-initiated privacy and security regulations is an emphasis on risk-based information security. In this respect, state laws are mirroring HIPAA’s requirements for risk-based data security measures based on comprehensive risk analysis.
- The Federal Trade Commission (FTC)—The FTC is “an independent U.S. law enforcement agency protecting consumers and enhancing competition across broad sectors of the economy. The FTC’s primary legal authority comes from Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive practices in the marketplace ... This broad authority allows the Commission to address a wide array of practices affecting consumers, including those that emerge with the development of new technologies and business models.”xi The FTC has increasingly been leveraging its authority to protect consumer privacy and personal information. The FTC’s focus on data privacy and security has the potential to impact your organization. One recent example of the FTC’s perspective and influence is the 2019 settlement with Facebook. The final settlement included the following requirements:
- The organization must establish an ongoing Independent Privacy Committee;
- The organization must engage an external firm to conduct an initial Independent Privacy Program Assessment, and to continue to conduct such assessments every two years for the next twenty years;
- Each fiscal quarter, the Principal Executive Officer and the Designated Compliance Officer(s) must sign a certification related to the establishment, implementation and maintenance of a Privacy Program compliant with the requirements of the settlement;
- Conduct risk assessment and risk management prior to modifying products, services or practices or implementing new products, services or practices.xii
Although this particular example (Facebook) is from outside of the healthcare industry, healthcare is not exempt from FTC scrutiny. The FTC has cited numerous healthcare organizations (CVS Caremark/CVS Pharmacy, Rite Aid, Accretive Health, and GMR Transcription Services, for example) for violating the FTC Act.xiii FTC enforcement is based on the idea that by failing to secure consumers’ private information, organizations are engaging in unfair and deceptive practices.xiv
- Europe’s General Data Protection Regulation (GDPR)—The GDPR, which went into effect in May 2018, protects EU citizens no matter where they are in the world; as such, compliance with the GDPR’s data privacy regulations must be taken into account regardless of whether an organization maintains a physical presence in the EU or not.xv
Compliance does NOT Equal Security
Despite the importance of compliance with applicable laws and regulations, it is important to clarify that regulatory compliance does not equal security. Many organizations operate under the misconception that compliance with the original HIPAA legislation (enacted more than 20 years ago) or the HIPAA Security Rule (effective 15 years ago) is sufficient. I’m using the term “compliance” here in the sense of a checklist approach to regulatory requirements: Simply ticking off boxes on a controls checklist or list of best practices and calling it good does not translate into effective security.
That is not sufficient to secure your organization’s data, systems, and devices. And multiple Office for Civil Rights (OCR) enforcement actions demonstrate that this type of "checklist” exercise doesn’t meet HIPAA Security Rule requirements for an effective ECRM program, either. An effective ECRM program is more complex, more specific and more nuanced than marking off a checklist.
For example, the HIPAA Security Rule doesn’t require just one type of assessment: it actually requires that organizations conduct three different types of assessments (figure 4.2).
Figure 4.2 The Three Types of Assessments Required by the HIPAA Security Rule
Source: 45 CFR §164.308; graphic illustration by Bob Chaput, Executive Chairman, Clearwater.
It is important that your organization understands the differences between these three types of assessments in order to implement a program that is compliant with the HIPAA Security Rule. But for our purposes here, what I want to emphasize, is that one of the three required assessments is the risk analysis. This analysis, which identifies and documents your organization’s unique assets, threats and vulnerabilities, is what provides the foundation for an effective ECRM program. And a comprehensive ECRM program—not compliance, in and of itself—is what ultimately keeps your organization secure.
This blog is excerpted and adapted from Bob Chaput’s book Stop the Cyber Bleeding, available now in digital and paperback format on Amazon. You can learn more about the book and purchase a copy here.
i HIPAA History. HIPAA Journal. (n.d.) Accessed September 15, 2019. https://www.hipaajournal.com/hipaa-history/
ii HIPAA History. HIPAA Journal. (n.d.) Accessed September 15, 2019. https://www.hipaajournal.com/hipaa-history/
iii Jessica Davis. “7 largest data breaches of 2015.” HealthcareITNews. December 11, 2015. Accessed September 15, 2019. https://www.healthcareitnews.com/news/7-largest-data-breaches-2015
iv Elinor Mills. “Researcher battles insulin pump maker over security flaw.” CNET. August 26, 2011. Accessed September 15, 2019. https://www.cnet.com/news/researcher-battles-insulin-pump-maker-over-security-flaw/
v Peter Jaret. “Exposing vulnerabilities: How hackers could target your medical devices.” AAMC News. November 13, 2018. Accessed September 15, 2019. https://news.aamc.org/patient-care/article/exposing-vulnerabilities-how-hackers-could-target/
ix USA: Data Protection 2019. International Comparative Legal Guides (ICLG); Global Legal Group (GLG). Accessed September 18, 2019. https://iclg.com/practice-areas/data-protection-laws-and-regulations/usa
x Caleb Skeath and Brooke Kahn. State Data Breach Notification Laws: 2018 in Review. Inside Privacy from Covington & Burling, LLP. December 31, 2018. Accessed September 19, 2019. https://www.insideprivacy.com/data-security/data-breaches/state-data-breach-notification-laws-2018-in-review/
xi “Privacy and data security update: 2018.” Federal Trade Commission January 2018 – December 2018. FTC. Accessed September 18, 2019. https://www.ftc.gov/system/files/documents/reports/privacy-data-security-update-2018/2018-privacy-data-security-report-508.pdf
xii Facebook, Inc.: Stipulated Order for Civil Penalty, Monetary Judgement, and Injunctive Relief. U.S. District Court for the District of Columbia. Case No. 19-cv-2184. Filed July 24, 2019. Accessed September 18, 2019. https://www.ftc.gov/system/files/documents/cases/182_3109_facebook_order_filed_7-24-19.pdf
xiii “CVS Caremark settles FTC charges: Failed to protect medical and financial privacy of customers and employees; CVS Pharmacy also pays $2.25 million to settle allegations of HIPAA violations.” FTC. February 18, 2009. Accessed October 15, 2019. https://www.ftc.gov/news-events/press-releases/2009/02/cvs-caremark-settles-ftc-chargesfailed-protect-medical-financial; and “Rite Aid settles FTC charges that it failed to protect medical and financial privacy of customers and employees.” FTC. July 27, 2010. Accessed October 15, 2019. https://www.ftc.gov/news-events/press-releases/2010/07/rite-aid-settles-ftc-charges-it-failed-protect-medical-financial; and “Accretive Health settles FTC charges that it failed to adequately protect consumers’ personal information.” FTC. December 21, 2013. Accessed October 15, 2019. https://www.ftc.gov/news-events/press-releases/2013/12/accretive-health-settles-ftc-charges-it-failed-adequately-protect ; and “Provider of medical transcript services settles FTC charges that it failed to adequately protect consumers’ personal information.” FTC. January 31, 2014. Accessed October 15, 2019. https://www.ftc.gov/news-events/press-releases/2014/01/provider-medical-transcript-services-settles-ftc-charges-it
xiv “CVS Caremark settles FTC charges: Failed to protect medical and financial privacy of customers and employees; CVS Pharmacy also pays $2.25 million to settle allegations of HIPAA violations.” FTC.. February 18, 2009. Accessed October 15, 2019. https://www.ftc.gov/news-events/press-releases/2009/02/cvs-caremark-settles-ftc-chargesfailed-protect-medical-financial
xv Una A. Dean and Melis S. Kiziltay Carter. “New guidelines on GDPR’s territorial scope confirm it reaches far beyond the EU”. New York Law Journal. March 1, 2019. Accessed August 12, 2019. https://www.law.com/newyorklawjournal/2019/03/01/new-guidelines-on-gdprs-territorial-scope-confirm-it-reaches-far-beyond-the-eu/?slreturn=20190719160336