The digital transformation of health care is driving the adoption of new technology and information systems to support key business and clinical initiatives. We are experiencing a veritable explosion in health care data, systems, and devices. Health care data has grown by 878% since 2016, and the number of endpoints from which it can be accessed is growing exponentially. It is estimated that 25,000 petabytes of health care data will be online by 2020. The Internet of Medical Things (IoMT) is expected to grow to more than 50 billion devices by 2021. In addition to external devices like wireless IV infusion pumps or heart monitors that may be attached to our patients, the IoMT includes wireless implantable devices such as deep brain neurostimulators, cochlear implants, gastric stimulators, cardiac defibrillators/ pacemakers, foot drop implants, and insulin pumps. Health care data, systems, and devices are more voluminous, more visible, more valuable, and, at the same time, more vulnerable than ever.
By Steve Cagle, CEO, Clearwater
The Explosion of Health care Data, Systems and Devices…and Compromises
According to one survey, more than one in three health care organizations have suffered a cyberattack while one in 10 have paid a ransom. In terms of vulnerability, in its April 2014 Private Industry notification, the FBI wrote, “The health care industry is not as resilient to cyber intrusions compared to the financial and retail sectors; therefore, the possibility of increased cyber intrusions is likely.”
We have certainly seen evidence of that over the last five years. These continuing trends are resulting in even greater cyber risk exposures for health care organizations. In the first half of 2019, there were 285 reported breaches affecting 32 million individuals, more than double the total for all of 2018 .
In the wake of so many largescale data breaches, the Office for Civil Rights (OCR) has stepped up HIPAA enforcement, levying a record $28.7 million in fines in 2018, representing an increase of almost 50% over 2017. Comprehensive, high-quality risk analysis and risk management are among the highest areas of their focus, as OCR official Nick Heesters recently commented: “Some of the risk analysis we get back just doesn’t really reflect what the rule requires. The rule requires that it be done in an accurate and thorough manner. To accurately and thoroughly assess the risks to an organization’s ePHI. Frankly, that’s not what we get.”
Risk Analysis Failures and Enforcement
As of this writing, an analysis of 66 OCR Enforcement Actions indicates there were 48 cases involving electronic Protected Health Information (ePHI) where risk analysis and risk management were to have been performed by the organization who suffered the breach. In those 48 cases, OCR found 43 organizations or 90% had not completed OCR-quality risk analysis. Forty of the 48 (83%) had adverse findings when it came to risk management. To date, OCR has collected $106.9 million in negotiated settlement amounts and civil money penalties.
State attorney generals are becoming much more active in investigating data breaches and are now banding together to initiate multi-state suits.
They are working in coordination with OCR and bringing their own actions against health care organizations that have violated HIPAA regulations, including most recently in cases where there has been a failure to conduct a risk analysis, such as the aforementioned MIE case that resulted in an additional $900,000 being paid out in a multi-state lawsuit involving 16 State AGs. Of the 21 State AG enforcement actions that have occurred over the last few years, 16 of them (76%) involved ePHI.
In addition to satisfying regulatory requirements, there is a growing need for health care organizations to understand where their highest exposures are in order to ensure they are protecting their assets appropriately by prioritizing and investing in the most optimal security controls to maximize their limited budgets.
Despite 82% of hospitals reporting breaches, only 5% of hospital IT budgets go to cybersecurity. Financial services, which are considered much more mature in Cyber Risk Management (CRM), spend 7.1%. Miniscule budgets and limited cybersecurity staff make it critical for hospitals to ensure they focus resources on mitigating their highest risks. A hospital or other health care provider can only be certain it is implementing the right controls if it knows where it has gaps.
Enterprise Cyber Risk Management Software (ECRMS): A Better Way to Manage Cyber Risk
In response to growing threats, increased regulatory scrutiny, and customer demand, leading health care organizations are recognizing that traditional approaches to assessing and managing cyber risk are not effective. A well-designed information security program begins with an enterprise risk analysis that assesses vulnerabilities and risks that apply to each and every information system that maintains protected health information. It continues with an integrated risk management program, which tracks and manages risk remediation action items that ultimately reduce risk to acceptable levels.
Until recently, most health care organizations have struggled to execute an enterprisewide, information system-based risk analysis and risk management program as they have lacked the software tools and methodologies to do so.
Without a system in place to identify and remediate high risks, these organizations face the very real potential of experiencing a preventable compromise of health care data, systems, and devices, which can lead to fines, lawsuits, legal and other fees, disruption in operations, reputational damage, and loss of customers.
Many health care organizations struggle to:
- Maintain an inventory of their health care data, systems, and devices – many have not even identified their “crown-jewel” information assets
- Establish a common definition of risk and their cyber risk appetites
- Perform risk analysis on all information systems across the enterprise
- Assess the likelihood and impact of asset-vulnerability-threat scenarios relevant to their systems
- Retain a single source-of-the-truth for risks
- Track and manage risk mitigation action items effectively
- Report on the progress of risk analysis and risk response to governance functions
- Treat CRM as a continuous process
Managing cyber risk in health care today is complex. Risk presents itself in an ever-changing threat landscape, filled with bad actors who don’t play by the rules. A health care organization trying to manage this cyber risk without software designed for this purpose is no better off than one who is trying to manage payment processing, payroll, or electronic medical record-keeping with spreadsheets.
A best-in-class ECRMS platform not only facilitates compliance with regulations, but also creates the basis for a comprehensive, integrated, and holistic approach to identifying, managing, and reducing cyber risk across the evolving health care IT ecosystem. Deploying an ECRMS in a health care organization is no longer an option—it is a necessity in order to maintain secure operations in today’s increasingly digitized health environment.
About the Author
Steve Cagle is CEO of Clearwater, the leading provider of Enterprise Cyber Risk Management and HIPAA Compliance software and services for the health care industry. Clearwater’s IRM|Pro® software and consulting services help health care organizations avoid preventable breaches, protect patients, and meet OCR’s expectations while optimizing and prioritizing cybersecurity investments.
CISO MAG did not evaluate the advertised/mentioned product, service, or company, nor does it endorse any of the claims made by the advertisement/writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.