Cyberattacks – The Gathering Threat to the Healthcare Industry

On September 5 and 6, 2017, the National Institute of Standards and Technoloy (NIST) and the Department of Health and Human Services (HHS), Office for Civil Rights (OCR) co-hosted the 10th annual conference, Safeguarding Health Information: Building Assurance through HIPAA Security. A variety of topics were discussed, but an issue of pressing concern often raised during the conference was the growing threat of cyberattacks on entities within the health care industry.

The well-publicized WannaCry and Petya ransomware attacks in May and June, respectively, brought international attention to what was already known to be a growing threat. Simply defined, ransomware is a form of malware that, once it successfully infects a computer system, prevents or limits users’ ability to access their computer system, including data. Access is only restored by entering a decryption key that is known only to the hacker that launched the ransomware attack. Often the hacker demands payment of a ransom in order to release the decryption key to the users. However, the user is at the mercy of the hacker, who, depending on the motivation, might not release the key even after receiving the ransom, or might demand additional payment.

As OCR noted in its July 2017 Cybersecurity Newsletter, citing the 2015 and 2017 KPMG Cyber Healthcare & Life Sciences Surveys, there has been a ten percent increase in the past two years in the number of health care providers and health plans that have experienced security-related HIPAA violations or cybersecurity attacks on PHI. Another recent study found that the healthcare industry was the victim of 88% of all ransomware attacks. Trends indicate that the frequency and intensity of cyberattacks will increase in the coming years.

The vulnerabilities of the health care industry to cyber-related security incidents have been well documented. Particularly notable and troubling about the WannaCry attack was that it infected parts of the United Kingdom’s National Health Service, forcing it to run some of its services on an emergency-only basis during the attack. While WannaCry and Petya infected computer systems mostly outside of the United States, there is little to suggest that a future widespread attack could not play out in a similar fashion in this country. Meanwhile, smaller-scale ransomware and other cyberattacks occur daily. A successful attack has the ability to paralyze and devastate a healthcare entity, resulting in lost productivity, imposing significant costs trying to restore a system and recover data, inflicting reputational harm and, most concerning, potentially jeopardizing patient care and well-being.

OCR offers guidance on cyber security issues and has made these resources available on its website. These resources include a quick-response checklist and infographic to consult if an individual or entity has been the victim of a cyber-attack. It has also published a fact sheet specific to issues surrounding ransomware and its relationship to HIPAA. In addition, OCR developed a crosswalk between the HIPAA Security Rule and the NIST Cybersecurity Framework. The latter was released in February 2014 to help organizations address cybersecurity risks. Finally, OCR publishes a monthly Cybersecurity Newsletter where OCR identifies and provides practical guidance on various cyber security topics. These newsletters are available on the OCR website, and can also be received via e-mail by subscribing to the OCR Security Listserv.

From a compliance perspective, all healthcare providers ought to be sensitive to the threat of cyberattacks, and should be considered as part of any entity’s risk analysis and risk management activities. Cyberattacks raise the specter of reportable security incidents and breaches under HIPAA. Where healthcare entities have neglected a proactive compliance problem, cyberattacks also invite the possibility of OCR scrutiny and enforcement action in the form of audits, investigations, fines, and settlements.

Compliance with the HIPAA Security Rule is not only required but essential to addressing the threat of cyberattacks. Clearly an entity must address its vulnerabilities on a technical side. This includes attention to things such as router and firewall firmware, anti-virus and anti-malware software, software patches, and data backup capabilities. However, equally important is an entity’s workforce training, since in many situations the security of patient PHI rests in human hands. The Security Rule requires entities to implement a security awareness and training program for its workforce members. Among other things, this standard requires periodic security updates and could take the form of computer-based training, classroom training, monthly newsletters, posters, email alerts, and team discussions, depending on the nature of the risk and threat to the entity. Failure to factor the threat of cyber-related security incidents into a compliance program is a risk that health care entities can and must avoid.

Michael Bossenbroek is a Partner at Wachler & Associates, P.C. and advises clients in HIPAA and Part 2 compliance, Fraud and Abuse matters, audit defense, and other general health care regulatory issues. Mr. Bossenbroek is active in the health law sections of the State Bar of Michigan, the American Bar Association, and the American Health Lawyers Association. He has been selected as a Rising Star in Health Law for 2017. He can be reached at (248) 544-0888 or mbossenbroek@wachler.com.