Q&A: Recent Cyberattacks and the Implications to Healthcare

By Lee Barrett, Executive Director, EHNAC
Twitter: @EHNAC

The Equifax data security breach that exposed the personal information of 143 million Americans was just one story in a year full of hackers making headlines as they continue to expose the security vulnerabilities of some of our nation’s most trusted financial and healthcare institutions. With the ramifications of these cyberattacks weighing heavily on the minds of many healthcare industry stakeholders, Lee Barrett, executive director of the Electronic Healthcare Network Accreditation Commission (EHNAC) and a member of the HHS Cybersecurity Task Force, tackled several questions to better help the industry both understand and strengthen its defense against these attacks.

Q. What can the healthcare industry learn from the Equifax breach and other cyberattacks like the ones that affected the US Securities and Exchange Commission and the Big Four Accounting Firm Deloitte?

Barrett: The Equifax breach impacted more than 143M Americans as a trove of information was breached. It’s no surprise that 2 out of 3 Americans are affected by a breach or cyberattack. That’s an increase from 1 and 3 Americans in years past. In 2017 alone, the top three health data breaches have impacted 1.5 million people. The Office for Civil Rights (OCR) has reported a record number of HIPAA settlements and fines this year as well. These headline-making data breaches are a vivid reminder that it’s clearly not a matter of if a breach can happen but when.

Hospitals and healthcare systems now need to keep their focus on strategies and tactics to mitigate risk and ensure business continuity once a cyberattack occurs. Today’s cybercriminal has evolved into a dangerous entity, capable of bringing an organization’s enterprise and business operation to a halt, compounded by long-term financial and reputational hardships – the WannaCry and Petya ransomware attacks from earlier this year are clear examples of the impact this can have on healthcare. On average, it costs a healthcare organization more than $2.2 million and its business associates more than $1 million for a data breach. Is it worth risking that by taking an “it-can’t-happen-to-us” attitude?

Q. What can healthcare organizations do to adjust to the continuously shifting cybercrime landscape and reduce their risks of becoming another statistic on the U.S. Department of Health & Human Services (HHS) website due to breach or attack?

Barrett: Protecting patient data should be a top priority for all healthcare stakeholders. Every organization handling protected health information (PHI) needs to conduct a risk assessment and asset inventory of their organization and map the data flow within their enterprise in order to determine their risk in the event of a breach or cyberattack. Hospitals and healthcare systems need to build security frameworks and risk sharing into their infrastructure by implementing risk-mitigation strategies, preparedness planning, as well as adhering to the regulations created by the Office of the National Coordinator for Health IT (ONC) and the National Institute for Standards and Technology (NIST).

But it’s not just the security of internal systems that are of concern in this increasingly interconnected healthcare ecosystem. The security and IT risk management protocols of business associates and other vendors and partners must also be ready for the potential negative consequences of an incident, breach or attack as their risk mitigation preparedness can impact a health system’s operations. The failure to do so can bring devastating consequences. At a bare minimum, a system should have sufficient rigor and meet industry standards for adhering to HIPAA requirements, mitigating cybersecurity risks, and assuring that all portal and exchange connection points are secured.

Q. As we look ahead to 2018, what areas should healthcare leaders take a hard look at in terms of enhancing their cybersecurity frameworks?

Barrett: The Internet of Things (IoT) has undoubtedly helped healthcare organizations deliver high-quality, more patient-centric and affordable care. However, by introducing these various internet-connected devices into a healthcare environment, you’ve exponentially increased the level of connection points, which in turn raises the level of exposure and heightens risk of compromise or breach. As a result, hospitals and healthcare systems need to evaluate their medical devices and BYOD protocols within their security frameworks as they present a whole set of data security challenges. Cybercriminals can strike when hospital employees, through their cell phones or tablets, connect into an EMR system, informatics or data exchange, unintentionally or intentionally infecting the hospital’s enterprise infrastructure with malware. In fact, more than 1M healthcare apps are developed worldwide on an annual basis. Unfortunately, only a small percentage of those new applications go through a security type review before being launched to the consumer or other stakeholder.

Finally, think of the impact a cybercriminal could have if they were to control medical devices. Last year, Johnson & Johnson warned patients about a potential hacking risk to their insulin pumps. And just recently, we learned of a security risk in a Boston Scientific medical device that communicates with implanted pacemakers and defibrillators. These are real instances of medical devices being compromised by the ever-evolving cybercriminal. Our industry needs to make protecting these devices and the patients they serve a priority in 2018. The Federal Drug Administration (FDA) has recently developed some medical device guidelines which are a start but we still have a significant delta to continue to develop further policies, procedures, controls and industry guidance.

The Electronic Healthcare Network Accreditation Commission (EHNAC) is a voluntary, self-governing standards development organization (SDO) established to develop standard criteria and accredit organizations that electronically exchange healthcare data. These entities include accountable care organizations, data registries, electronic health networks, EPCS vendors, e-prescribing solution providers, financial services firms, health information exchanges, health information service providers, management service organizations, medical billers, outsourced service providers, payers, practice management system vendors and third-party administrators. The Commission is an authorized HITRUST CSF Assessor, making it the only organization with the ability to provide both EHNAC accreditation and HITRUST CSF certification.