By Zuzana S. Ikels, J.D., Polsinelli
Recently, the Health Care Industry Cybersecurity Task Force (the “Task Force”) issued its Report on Improving Cybersecurity in the Health Care Industry (the “Report”). The Task Force, which was created by Congress as part of the Cybersecurity Act of 2015, is comprised of subject matter experts from the public and private sector who evaluated the cybersecurity threats to health care industry, the current state of the IT systems for health care industry stakeholders, and the related health care laws and regulations.
The Task Force observed that the health care sector has only invested in cybersecurity in the last five years, while rapidly expanding the use of the Internet of Things (internet-connected, medical devices) and the transition to EHR data, the combination of which magnifies the risk of breaches and data theft. The Report discusses the acute threat of cyber-incidents related to the rise and sophistication of ransomware attacks that hold data hostage involving critical patient information and monitoring devices.
The Report offers a laundry list of recommendations, guidelines and practices aimed to streamline the compliance process and reduce risk, while encouraging technological innovation, research and development, and sharing information.
Highlights of the Task Force’s observations and recommendations include:
- There should be a national, uniform set of standards, which follow the National Institute of Standards and Technology (NIST) Cybersecurity Framework, but customized to reflect the complexity of patient and health care data.
- A single cybersecurity leader should be appointed to govern the privacy concerns for medical information within HHS. The Report criticizes the dizzying number of federal agencies, noting that the Federal Trade Commission (FTC) regulates some aspects, coupled with six, different agencies within the HHS jockeying for control: the Office for Civil Rights (OCR), CMS, the Food and Drug Administration (FDA), the Office of the National Coordinator (ONC), and the Office of the Assistant Secretary for Preparedness and Response (ASPR).
- The need for a federal, uniform standard is evident by the burden on healthcare entities to comply with the panoply of state laws that vary in definitions, scope, standards, and expectations. The Report highlighted the variation in state laws governing: (1) Unauthorized access, malware, and viruses (all 50 states), (2) Denial of service attack laws (25 states); (3) ansomware laws in two states, with another four states currently under consideration; (4) Spyware laws (20 states); and (5) Phishing laws (in 23 states).
- Implement scalable best practices that impose different expectations, obligations and standards depending on the size of the health care entity.
- Congress should create an exception, under the Stark Law and Anti-Kickback Statutes, to encourage hospitals to share resources and provide financial assistance to doctors and clinics related to cybersecurity systems.
- Health care entities should focus on increasing the security of medical devices, health IT, and legacy EHR systems. The Task Force suggests either imposing requirements or financial incentives to share software and systems to ensure a more robust and secure system overall for safe transmissions of patient data.
- Implement a multi-step authentication process and training requirements for clinicians accessing the systems.
- The Report also discusses a series of specific recommendations regarding appointing a lead IT representative, conducting annual audits and sharing information related to better security measures, Big Data Analytics, and research and development.
The Report makes clear that now more than ever, health care delivery organizations have an enhanced responsibility to secure their systems, IoT medical devices, and patient data. Stakeholders are advised to reduce the use of less defensible legacy and unsupported products and focus on reducing risk through robust development and support strategies. The Report is a sincere and ambitious offering of practical and clear solutions that balance the tension between cybersecurity threats, patient privacy concerns, and technological innovation. The more difficult question is whether Congress will consider the report and pass federal legislation in response.
