BY Michael Alexander, Esq., Brown & Fortunato, P.C.
Periodically, and it seems with greater frequency, I open my work email to find an email that just stands out as being odd in one form or another. Due to my generally conservative approach to technological issues, I do not understand, my immediate response is to forward the message along to our firm’s IT expert. Occasionally he will respond that the email is legitimate, and I am safe to proceed. Fairly often the response will be in the form of a meme or snarky emoji indicating the email was one of his IT security tests. But more and more the response is that the email is a phishing attack, and that the sender is being blocked.
We will laugh and joke about the test emails he sends, but these are just one demonstration of the very real and sober threat that phishing and other cyber-attacks pose in our modern society. And the risks and consequences are especially significant in the healthcare space. In response to these ongoing and increasing risks, the Department of Health and Human Services (“HHS”) announced on December 6, 2023, its next steps to enhance cybersecurity in the healthcare and public health sectors.
Warning: Undefined variable $posClass in /home1/mjhnewsc/public_html/wp-content/plugins/ap-plugin-scripteo/lib/functions.php on line 1078
As HHS’s concept paper[1] details, “the healthcare sector is particularly vulnerable to cybersecurity risks and the stakes for patient care and safety are particularly high.” The first example that jumps to mind for many of us is the security of patients protected health information. Just last month, HHS announced a $480,000 settlement with a medical group that was the victim of a phishing attack. As a result of that attack, the Office for Civil Rights (“OCR”) investigated and determined that the group failed to conduct a Security Rule risk analysis, and never implemented procedures to regularly review records of information system activity, both violations of Federal regulations.
Warning: Undefined variable $posClass in /home1/mjhnewsc/public_html/wp-content/plugins/ap-plugin-scripteo/lib/functions.php on line 1078
But the risks extend beyond patient information. Cyber-attacks on hospitals and health systems have led to extended care disruptions, patient diversion to other facilities, and strain on acute care provisioning that results in cancelled appointments, non-rendered services, and delayed medical procedures. In November of last year, a hospital system suffered a ransomware attack that resulted in patients being diverted away from its emergency rooms. A similar attack on a Connecticut hospital in August resulted in elective surgeries being canceled and physicians and hospital staff having to work without essential imaging equipment or access to electronic records. These are just two of many examples where cyber-attacks have resulted in significant disruptions in patient care and placed patient safety at risk.
Warning: Undefined variable $posClass in /home1/mjhnewsc/public_html/wp-content/plugins/ap-plugin-scripteo/lib/functions.php on line 1078
In its announcement, HHS outlined four goals to improve cybersecurity in the healthcare sector.
- Establish voluntary cybersecurity goals for the healthcare sector.
HHS explains that the numerous standards and guidance in the healthcare sector create the potential for confusion. HHS’s goal is to, with input from the industry, establish and publish voluntary sector-specific cybersecurity goals. This will set a clear direction for the industry and help inform potential future regulatory actions by HHS.
- Provide resources to incentivize and implement these cybersecurity practices.
HHS plans to work with Congress to obtain funding and authority to establish two programs:
- An upfront investments program with the goal to assist high-need healthcare providers in implementing essential cybersecurity performance goals; and
- An incentives program to encourage investment in advanced cybersecurity practices by hospitals.
- Implement an HHS-wide strategy to support greater enforcement and accountability.
HHS’s goal is to have all hospitals meeting the healthcare sector cybersecurity goals and will be working to incorporate the healthcare sector cybersecurity goals into existing regulations and programs. This spring HHS will be taking the following actions:
- CMS will propose new cybersecurity requirements for hospitals through Medicare and Medicaid.
- HHS through its Office for Civil Rights will begin an update of the HIPAA Security Rule to include new cybersecurity requirements.
In addition to these, HHS will work with Congress to increase the civil monetary penalties for HIPAA violations and to obtain increased resources to investigate HIPAA violations and improve HIPAA compliance.
- Expand and mature the one-stop shop within HHS for healthcare sector cybersecurity.
HHS will “mature” its cybersecurity support function within its Administration of Strategic Preparedness and Response. Among HHS’s goals are an enhancement of coordination within HHS and the Federal government, and a deepening of the government’s partnership with the industry.
We share HHS’s desire to see improvement in the cybersecurity sector. But it is the providers who are at the forefront of combatting these issues and are the parties that will be subject to the new compliance requirements. So, it is important that providers in all areas of the healthcare industry get involved with HHS on these various goals to ensure that these goals are met in a productive and effective manner.
[1] https://aspr.hhs.gov/cyber/Documents/Health-Care-Sector-Cybersecurity-Dec2023-508.pdf