Privacy and Security: New Law Changes the Security Landscape
By Ty Greenhalgh
For The Record
Vol. 33 No. 3 P. 28
Designed to promote EHR adoption, the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, hoped to accomplish its goal by offering incentives to and levying penalties against health systems. Hindsight being 20/20, it is clear the industry benefited from widespread EHR adoption. However, it is equally clear that health care would be in a much better place had more consideration been given to security concerns.
The threats and vulnerabilities resulting from rapid EHR adoption has made health care the top target of hackers across the globe. Understanding the meaning of the word “Fullz” helps explain why.
No. 1 With a Bullet
Hackers penetrate systems, exfiltrate data, and sell them on the dark web where stolen credit cards are worth 50 cents and medical records garner 1,000 times that much. Fullz is a term used to commoditize the data sold by hackers. The more complete the profile, the more “full of information” it is, thereby increasing its value. Medical records contain more data, including financial, clinical, and insurance, than any other individual record.
Stolen data can be used for myriad fraud schemes, ranging from identity theft to mortgage and insurance fraud. Because covered entities don’t need to report a breach for 60 days, the bad guys have time before alerts are posted.
Even the stoutest of defenses may not be enough. “There are some vulnerabilities and events that happen even when an organization has been following best practices,” says Mike Powers, a clinical engineer in Utah.
To make matters worse, the health industry also tops the charts in terms of breach costs. Lost business, reputation damage, and lawsuits compound the penalties imposed by the Office for Civil Rights (OCR), which include fines, fees, audits, and corrective action plans.
These penalties are designed to incentivize covered entities and business associates to improve their cybersecurity posture and prevent breaches. “I think the intent [of these penalties] is to punish PHI [protected health information] disclosed due to negligence,” Powers says. “We have many, many devices with 15,000 records on them. Even if best practices are followed, a breach could quickly bankrupt an organization.”
Hackers are getting smarter and richer which means the adversary is growing stronger and more resourceful. With resolve, hackers can penetrate any health system or business associate they target. The penalties imposed on these institutions are not generating the desired effect of securing the industry and protecting patient information.
Despite the efforts of providers, they continue to be the most targeted sector, accounting for 79% of all reported breaches, according to Health IT Security. In 2019, the United States was hit by an unprecedented and unrelenting barrage of ransomware attacks that impacted 764 health care providers. Since November 1, 2020, there has been an increase of more than 45% in the number of attacks against health care organizations globally, compared with a 22% increase against other industries.
Cybersecurity breaches of 500 records or more steadily increased between 2018 and 2020, from 371 in 2018 to 618 in 2020. In 2020, the OCR settled 20 cases with resolution agreements or corrective action plans. In the last three years, the OCR has reached settlements totaling more than $55 million. What’s more, this figure does not reflect costs associated with continued audits, impact to operations, legal fees, and corrective action plans.
A New Cybersecurity Law
In an effort to further incentivize the health care industry to more aggressively adopt best practices, AHIMA, the American Medical Association, and the College of Healthcare Information Management Executives proposed legislation that would recognize when organizations made good faith efforts to protect a patient’s safety and data.
As a result, HR Bill 7898, known as the “Recognition of Security Practices,” became law earlier this year. The amendment to the HITECH Act allows Health and Human Services (HHS) to determine whether cybersecurity best practices were adopted by covered entities and business associates. The law is applicable during a breach investigation in which financial and operational remedies are to be determined.
For organizations that can produce security best practice documentation for 12 months, consideration will be provided in an effort to reduce fines, audits, and post breach oversight.
The law will do the following:
• mitigate fines under section 1176 of the Social Security Act (as amended by section 13410);
• result in the early, favorable termination of an audit under section 13411; and
• mitigate the remedies that would otherwise be agreed to in any agreement with respect to resolving potential violations of the HIPAA Security rule (part 160 of title 45 Code of Federal Regulations and subparts A and C of part 164 of such title) between the covered entity or business associate and HHS.
Some industry experts are concerned the law is a de facto “HIPAA Safe Harbor.” While it technically seems to meet the definition by providing provisions to reduce legal or regulatory liability, HHS has used the term “safe harbor” specifically with regard to encryption and the deidentification method of PHI.
The industry would be wise to proceed with caution when using the term safe harbor, which may be misinterpreted and confuse organizations already struggling to understand OCR’s guidance. A more relevant question might be, “What are recognized security practices?”
Public Law 116-321 has identified recognized security practices as “standards, guidelines, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology (NIST) Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and process that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities. Such practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security rule (part 160 of title 45 Code of Federal Regulations and subparts A and C of part 164 of such title).”
Most health care privacy, compliance, IT, and information security departments are familiar with NIST and its various resources, such as the Cybersecurity Framework (CSF) and Privacy Framework, that provide a framework for effectively managing risk and applying technical and operational controls within organizations to improve HIPAA compliance and reduce risk. The OCR has even created a crosswalk between the NIST CSF and the HIPAA Security Rule, a roadmap that helps to overlay the two, the thought being that together they are more effective at improving security and compliance.
However, approaches under Section 405(d) of the Cybersecurity Act are less understood. In 2017, this section drove a national risk assessment of the health industry, which recommended industry best practices to mitigate risks. These best practices for small, medium, and large organizations are found in the four-part series titled “Healthcare Industry Cybersecurity Practices: Managing Threats and Protecting Patients” (HICP).
The practices described in HICP are recommendations referred to in the new law.
“The importance of this law can’t be overstated,” says Russell P. Branzell, president and CEO of the College of Healthcare Information Management Executives. “It moves us away from the punitive environment that victimized hospitals by acknowledging their work to better their cyber posture.”
Julie Chua, who serves as the governance, risk, and compliance risk management branch manager for HHS’ Office of the CIO and is public co-lead on the 405(d) Task Group which produced the documentation referenced in this new law, says, “We continue to work with our HHS partners to identify impacts and approaches to ensure all of HHS is working together in response to this new legislation. We hope that the 405(d) Task Group members are encouraged to continue to develop new resources and lend their voices to help define Healthcare and Public Health sector cybersecurity best practices moving forward.”
— Ty Greenhalgh is CEO of Cyber Tygr and an active member in the United States Healthcare and Public Health Sector Coordinating Council’s Joint Cybersecurity Workgroup.