Cybersecurity continues to be top of mind these days, especially as we continue to rely on technology and technologies become more sophisticated. On December 28, 2018, a Task Group that includes U.S. Department of Health and Human Services (“HHS”) personnel and private-sector health care industry leaders published new guidance for health care organizations on cybersecurity best practices. The guide – Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients – is just that, a guide for healthcare organizations as they begin to navigate the cybersecurity world. This is a start to helping your facility – whether long-term care, hospice, senior living, continuing care retirements homes, along with others – take the steps to become cyber secure and helps answer those nagging questions keeping you up at night.
While innovation in health information technology is a cause for optimism and increasing sophistication in health IT holds the promise to help address some of our intractable problems, whether in clinical care, fundamental research, population health or health system design, our technology will work for us only if it is secure.
Eric Hargan, Deputy Secretary of Health and Human Services
As mentioned in the guide, the Task Force does not expect the practices in the publication to become a de facto set of requirements that all organizations must implement. Such a dogmatic approach is not effective given the dynamic nature of cybersecurity threats and the fast pace of technology evolution and adoption. Furthermore, they do not guarantee that the suggested practices will aid organizations in meeting their compliance and reporting obligations, but do answer the prevailing questions, “Where do I start and how do I adopt certain cybersecurity practices?”
Key Points from the HHS Guidance
While it is impossible to address every cybersecurity challenge, the Task Group identifies five prevalent cybersecurity threats.
- Email phishing attacks – an attacker masquerades as a trusted individual dupes a victim into opening an email and sending private information – such as wiring money, sending passwords or personal details.
- Ransomware attacks – malicious software that threatens to publish one’s data or block access unless a ransom is paid
- Loss or theft of equipment or data
- Insider, accidental or intentional data loss – from employees
- Attacks against connected medical devices that may affect patient safety
For each of the five high-risk cybersecurity threats, the guidance describes the risk, lists specific vulnerabilities and the potential effects of these vulnerabilities, and offers a list of “practices to consider” to help minimize the threat. Additionally, the Task Group identified a set of voluntary best practices and created 10 categories. Each of these practice categories is detailed within two supplementary technical volumes – one addressing the needs of small organizations and the other addressing the requirements of medium and large organizations – and supplemental resources and templates. These resources include toolkits for determining and prioritizing the cybersecurity practices that would be most effective for your organization.
The Guide and What It Means
Understanding and determining the cybersecurity practices that would be most effective for your organization are key. Withum’s Healthcare Services team works with a number of organizations of varying sizes to ensure they are managing their vulnerabilities more effectively. Senior living facilities, nursing centers, memory care and assisted living locations, hospice centers, and continuing care retirement communities have unique cybersecurity concerns that should be addressed properly to ensure the personal information of the facilities and the residents is not at risk. The Guidance created by the task for is a first step toward understanding the needs of your facility. Next, take into consideration the five cybersecurity threats.
When speaking with our clients, we regularly ask what are their pain points and what keeps them up at night.
Understanding and determining the cybersecurity practices that would be most effective for your organization are key. Withum’s Healthcare Services team works with a number of organizations of varying sizes to ensure they are managing their vulnerabilities more effectively. Senior living facilities, nursing centers, memory care and assisted living locations, hospice centers, and continuing care retirement communities have unique cybersecurity concerns that should be addressed properly to ensure the personal information of the facilities and the residents is not at risk. The Guidance created by the task for is a first step toward understanding the needs of your facility. Next, take into consideration the five cybersecurity threats.
1. No clear, concise standard procedure in how professionals collect patient information. This discrepancy creates a risk for both the patient and the facility. When providing care to patients in their home or at a facility, different methods are being used, both paper and electronic.
Paper-based forms were the primary method to evaluate and collect information at in-home appointments. The provider then inputs and digitizes the data upon returning to an office. Some providers use a laptop to collect information that syncs directly to programs or once it is reconnected at the office. Both of these methods raise Data Protection and Loss Prevention flags. A breach of protected health information can occur through accidental misplacement or loss of paper or leaving papers in the public view while having lunch or stepping away. If a laptop or tablet is used, it could be left open or stolen. Do you have a process for stolen or misplaced items? Does the laptop have an encrypted hard drive? Organizations have a responsibility to protect the data while it is collected, processed and stored.Training and the introduction of new policies and procedures would seem obvious and necessary, however, they seem to waver on the priority list. Generally, most people are vulnerable to be tricked into providing credentials via Phishing scams, especially when training is not in place.
It’s no surprise that maintaining a cost-effective operating environment is a big focus. As new systems are rolled out, the systems require licenses for participation and each license comes at a cost. The cost of obtaining additional licenses outweighed the risks of password and login sharing.
2. Maintaining up-to-date systems while being cost effective. It’s no surprise that maintaining a cost-effective operating environment is a big focus. As new systems are rolled out, the systems require licenses for participation and each license comes at a cost. The cost of obtaining additional licenses outweighed the risks of password and login sharing.
At one facility, all nursing staff at one location use the same user name and password because it was too expensive to acquire more licenses. This is troubling form both the cybersecurity and the patient standpoint. This way, management cannot see who logs information, control access to systems, hold individuals accountable for actions, and, should a forensic investigation take place, having shared login information becomes more complex and puts the whole facility at risk.
3. Attracting and retaining quality staff. Attracting and retaining quality staff is always a common issue as quality measures and scores impact reimbursement and funding. Security training ties directly into ROI. Proper creation of policies and procedures, and then training the quality staff that your organization has will align to being less vulnerable in other areas. When reading through recent Office of Civil Rights (“OCR”) enforcement actions, common findings revealed that policies and procedures failed to:
- Address security incidents
- Govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility
- Safeguard their facilities and equipment from unauthorized access, tampering and theft of equipment
- Implement a mechanism to encrypt and decrypt ePHI when it was reasonable and appropriate to do so “under the circumstances”.
The details to enforcement actions by OCR each state a failure to conduct or highlighted the absence of an enterprise-wide risk analysis given the number of breaches involving a variety of locations and vulnerabilities.
Conclusion
So what does this all mean? The healthcare industry is one of the most heavily-regulated industries, inclusive of long-term care and senior living facilities, in general, and when it comes to cybersecurity practices. Within the Guidance by the HHS Task Force, there are compelling metrics that alone should lead you to understanding the need for change within your own cybersecurity practices and defenses.
- 4 in 5 US Physicians have experienced some form of a cybersecurity attack
- 90% of small businesses do not use any data protection at all for company and customer information
- 4 to 7% of total IT budgets across healthcare organizations spent money on cybersecurity compared to 10 to 14% by other industries
- 1,309 records were inappropriately accessed by a single employee between 2016 and 2017
Taking the steps now to check your organization’s current cybersecurity preparedness and start making improvements will help answer the questions plaguing you at night. Withum’s Cyber and Information Security team urges all healthcare organization to contact us before or after reading the Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients for a free consultation.
How Can We Help?
