July 20, 2017

July 20, 2017

Subscribe to Latest Legal News and Analysis

July 19, 2017

Subscribe to Latest Legal News and Analysis

July 18, 2017

Subscribe to Latest Legal News and Analysis

Health Care Cybersecurity Is Not in Good Health

According to the Health Care Industry Cybersecurity (HCIC) Task Force, cybersecurity in the health care industry is in critical condition. The expertise and resources required to adequately protect the cybersecurity health care infrastructure has lagged behind the rapid advances in digitization of systems and records. While health organizations accelerated the widespread adoption of electronic health records (EHR) in order to capture government subsidies, they focused primarily on the hardware and software aspects of that integration, rather than the security components. Although the Health Insurance Portability and Accountability Act (HIPAA) has required covered entities and others to safeguard protected health information, the HCIC Task Force found that many providers lacked the expertise and resources to properly comply. In addition, the complex regulatory environment has both burdened and created gaps in the health care industry, with a multitude of regulators within the Department of Health and Human Services (e.g. Office for Civil Rights, Centers for Medicare & Medicaid Services, Food and Drug Administration), as well as the Federal Trade Commission, imposing sometimes vague and redundant directives but at the same time leaving unaddressed emerging health care areas, such as medical devices, operating on advanced technology.

The risks caused by inadequate cybersecurity in the health care industry are particularly concerning because of the valuable nature of health records and the interconnectedness of health information systems. Unlike other types of personal information like credit card and bank account numbers that can be changed if compromised, health care data does not change and has value to cyber attackers that may increase over time. Moreover, regulations have pushed interoperability of EHR applications in order to create efficiencies and better service delivery from providers and greater access to patients to their health data. This has increased the “attack surface of the health information system” as those that access medical records, as well as the devices and applications that connect to them, increase. The increasing interconnectedness of health information systems creates vulnerabilities to the entire system because it will only be as secure as its weakest link. 

The HCIC Task Force has recommended the prioritization of six high-level measures in order to address the vulnerabilities in health care cybersecurity:

  1. Define and streamline leadership, governance, and expectations for health care industry cybersecurity.

  2. Increase the security and resilience of medical devices and health IT.

  3. Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.

  4. Increase health care industry readiness through improved cybersecurity awareness and education.

  5. Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure.

  6. Improve information sharing of industry threats, risks, and mitigations.

While several of these are directed at the broader health care industry and infrastructure, health care organizations can take heed of those recommendations calling for more dedicated resources and increasing awareness and education in order to improve cybersecurity readiness. Health organizations should inventory their IT systems and EHR applications. Moreover, the HCIC Task Force recommends the use of the NIST Cybersecurity Framework to assess a health care organization’s cybersecurity risk environment. Importantly, board and executive level understanding of, and commitment to, cybersecurity will help drive some of the increases in security and development of a necessary workforce equipped to address the growing vulnerabilities in health care cybersecurity. What is clear is that the health of cybersecurity in the health care industry will not improve without increased focus and resources from all parties involved. Reecent attacks like the Wanna Cry virus, which took advantage of the vulnerabilities in the industry, highlight the importance of making those improvements.

© MICHAEL BEST & FRIEDRICH LLP

TRENDING LEGAL ANALYSIS


About this Author

Adrienne Ehrhardt, Michael Best Law Firm, Corporate and Transactional Attorney
Partner

Known for giving practical and actionable legal advice, Adrienne counsels clients on the many complex aspects of privacy and data management matters.

Her extensive background includes experience with issues relating to the Gramm-Leach-Bliley Act (GLBA), Fair Credit Reporting Act (FCRA), and the Telephone Consumer Protection Act (TCPA), as well as privacy programs and cyber security issues.

Prior to joining Michael Best, Adrienne served as the in-house lead attorney in privacy and data protection at CUNA Mutual...

608-283-0131
Kirk Pelikan, Michael Best Law Firm, Labor and Employment Attorney
Partner

Kirk’s practice focuses on legal issues related to all aspects of the employment cycle, from hiring through termination and severance. Substantially experienced in both benefits and employment law, Kirk is well positioned to help clients respond to the opportunities, vulnerabilities and benefit ramifications of particular employment decisions.

Kirk’s focus includes:

  • Developing and maintaining effective compliance strategies related to defined benefit plans, defined contribution plans, executive compensation and welfare benefit plans

  • Counseling clients on Affordable Care Act (ACA), COBRA, and Health Insurance Portability and Accountability Act (HIPAA) compliance

  • Advising clients on Family and Medical Leave Act (FMLA) and disability compliance

  • Helping clients maintain tax-qualified plan status

414-223-2529