There is a new “rulemaking” that is trying to get the process started for updated HIPAA regulations. At the federalregister.gov
First we have to review as to how we got here:
Regulatory History
1.1996 Congress enacted HIPAA (Health Insurance Public Accountability Act)
2. 1998 Security Rule Notice of Proposed Rulemaking
3. 2003 Final Rule
4. 2009 Delegation of Authority
5. 2013 Omnibus Rulemaking
HIPAA is all about the PHI (Protected Health Information)
After the initial HIPAA was started (1998):
On February 17, 2009, Congress enacted the Health Information Technology for
Economic and Clinical Health Act of 2009 (HITECH Act), part of the American Recovery and
Reinvestment Act of 2009 (ARRA), promoting the nationwide adoption and standardization of
health information technology (health IT) to support the electronic sharing of clinical data.
According to a Cybersecurity & Infrastructure Security Agency (CISA) statistical
analysis of the effects of a hypothetical cyberattack on a model hospital, a hospital’s relative
performance will suffer amidst a cyberattack. The analysis found that the hypothetical
cyberattack would lead to hospital strain from inaccessible patient schedules and records,
disrupted communication, and delays in processing and communicating test results in time to
effectively treat individuals
As time went on more telemedicine has occurred, which means more cybersecurity principles need to be adhered to before a breach(not after).
The coronavirus disease 2019 (COVID-19) pandemic led to a dramatic increase in the use of telemedicine.
In 2023 the FDA issued updated guidance for industry and FDA staff on requirements for cybersecurity in medical devices.
Their concern has been the following:
NCVHS cited a 2021 survey of acute and ambulatory care organizations that found only 32 percent of those organizations had a comprehensive security program, while only 26 percent of the long-term and post-acute care
facilities met the minimum security requirements.274 Specifically, NCVHS made the following recommendations for improvements to the Security Rule:
- Include specific minimum cybersecurity hygiene requirements that are reflective of
modern industry best practices, including designation of a qualified information security
official, elimination of default passwords, adoption of MFA, institution of offline
backups, installation of critical patches within a reasonable time, and transparency of
impact and vulnerability disclosures. - Require that regulated entities implement a security program and that they implement
standard minimum security controls. - Require that regulated entities adopt a risk-based approach in their security program.
- Require that regulated entities perform a risk analysis in a manner that conforms with
guidance from NIST and CISA(government agency. - Define compensating controls more specifically and provide a wider range of examples
that apply to a greater variety of types of entities. - Reinforce the need for regulated entities to account for AI systems and data within their
risk analysis for all and any new technology - Establish a consistent floor for cyber incident reporting and harmonize such requirements
with incident reporting provisions applicable to health care critical infrastructure actors
and health care Federal contractors
Ultimate goal is to be flexible for future technological innovations and to protect PHI.
interesting to note the following has been pointed out: “Small and Rural Health Care Providers Must Implement Strong Security Measures To Provide Efficient and Effective Health Care”
The challenge being one needs to safeguard PHI with less IT labor resources (possibly).
An example was given: a critical access hospital in Colorado recovered from a
cyberattack in 2019, but it required “an incredible amount of staff time, many months of
recovery efforts, and an enormous financial outlay to restore systems and prevent another attack.”
In fact, the hospital estimates that “it took a full year of a staff person’s time to
complete the recovery and protect the organization for the future.”304 These costs do not include
the multiple ransoms paid to the attackers after the first set of keys did not unlock all of the
data.
An interesting reference: https://www.reliasmedia.com/articles/144561-too-small-to-be-attacked-by-cybercriminals-not-so-fast.
Cybercriminals go after small businesses, especially those in the healthcare industry, because they are easy targets. One breach can be very time-consuming and costly.
The U.S. Department of Health and Human Services lists more than 470 cyberattacks executed on healthcare organizations over the past two years. Many of these are smaller healthcare businesses, including surgery centers. (Read more about these episodes at: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf)
“They’re more susceptible because they do not have a lot of the tools and security measures necessary to protect themselves,” says Nelson Gomes, CEO of PriorityOne Group in Rutherford, NJ, of small healthcare businesses. Gomes speaks at national surgery center conferences about cybersecurity, and PriorityOne is a provider of integrated managed information technology services for healthcare organizations.
The article just chronicles several breaches and a list of many breaches Here is an image of a few investigations into breaches by HHS in Missouri only (it looks like there are hundreds of investigations across the country)
A Strengthened Security Rule Is Critical to an Efficient and Effective
Health Care System
As we have constantly evangelized it is better to do things before the breach rather than after.
Contact me to discuss at fixvirus.com
I will add to this post as I read more of the document with more relevant info.
Here is a good point on one of the links (regarding how new phishing attacks are more sophisticated):
One scenario could play out this way: A surgery center’s chief financial officer or business director lets people know through social media that he or she is leaving town for vacation next week. The cybercriminal learns of this and finds out who is filling in on that job. Then, the phisher breaks into the director’s email and sends the fill-in person an email that appears to be from the director. The email reads something like, “Please pay Jeff for this invoice when it comes in this week.” A day later, the invoice arrives, and the director’s email says, “Hi, it’s me. Jeff and I are colleagues, and you need to send a payment for $5,000.”
The common-sense thing to do is call the director to verify, but employees rarely do this. “There should be an incident response plan or cybersecurity plan in place to say that if I’m out of the office, there needs to be two signatures before someone pays a bill,” Gomes offers.