Privacy and Cyber Security

Recently, the U.S. Department of Health & Human Services (“HHS”) issued guidance for healthcare cybersecurity best practices.  As required under the Cybersecurity Act (CSA) of 2015, this four-part guidance was generated by a Task Group charged with the following:

  1. Examining current cybersecurity threats affecting the healthcare and public health sector;
  2. Identifying specific weaknesses that make healthcare and public health organizations more vulnerable to cybersecurity threats; and
  3. Providing certain practices that cybersecurity experts rank as most effective against such threats.

This technical assistance comes at a critical time.  Healthcare organizations, regardless of size, complexity or sophistication are vulnerable to cyber-attacks. For example, while smaller organizations may think that cyber threats, such as ransomware, tend to affect the larger organizations, approximately 58% of malware attack victims affect small businesses. Furthermore, cybersecurity attacks in 2017 cost small and medium-sized businesses an average of $2.2 million.

Most surprisingly, despite increased frequency of cyber-attacks over the last two years, coupled with cost of data breaches being highest in healthcare, the healthcare industry continues to lag behind in cybersecurity preparedness. About 4-7% of total IT budgets, across healthcare organizations, are being spent on cybersecurity, while other industries spend approximately 10-14%.  There is certainly a need and significant room for improvement across the industry.

The main volume of the new HHS guidance document cites the five most prevalent cybersecurity threats as:

  • E-mail phishing attacks;
  • Ransomware attacks;
  • Loss or theft of equipment or data;
  • Insider, accidental or intentional data loss; and
  • Attacks against connected medical devices that may affect patient safety.

The guidance document also shares ten best practices to mitigate cybersecurity threats (covered in more detail in corresponding Technical Volumes):

  • E-mail protection systems;
  • Endpoint protection systems;
  • Access management;
  • Data protection and loss prevention;
  • Asset management;
  • Network management;
  • Vulnerability management;
  • Incident response;
  • Medical device security; and
  • Cybersecurity policies.

With this new cybersecurity guidance from HHS, healthcare companies can be better equipped to strengthen their security and more effectively tackle cyber threats.  Companies should prioritize these efforts because cybersecurity preparedness can reduce patient privacy risk, protect patient safety and ultimately preserve an organization’s reputation.


Alaap B. Shah


Daniel Kim

Surprisingly amidst the Federal Bureau of Investigation (FBI) uproar, President Trump today signed an executive order addressing cybersecurity for the federal government and critical infrastructure, along with international coordination and cyber deterrence. The substance of the order, which is about to be made public, comes from various press releases and interviews with administration officials. The order is composed of three sections on cybersecurity and IT modernization within the federal government, protecting critical infrastructure, and establishing a cyber deterrence policy and coordinating internationally on cyber issues. In directing cabinet agencies to protect critical infrastructure, the order references the Obama administration’s “section 9” list of most critical entities, which already has prompted questions from industry.  Specifically, the order directs the Commerce Department and the Department of Homeland Security to coordinate an effort to reduce botnet cyber-attacks through a voluntary partnership with industry. This effort mirrors health industry association comments to Commerce’s National Institute of Standards and Technology (NIST), which next week will have an open forum to address the many comments made to its  rulemaking proposals. Interestingly, the Order directs the cabinet agencies to coordinate their own efforts with NIST.  The White House staff has been quoted as saying that “it is about time” the federal government was held to the same standard as private industry in addressing cybersecurity. Consistent with Industry requests, the framework is a voluntary tool actually developed in collaboration with industry, which argues that flexibility is required because policies must be adapted to the needs of different entities.

On the health care cyber front, it is interesting to note that James Comey’s last formal speech was given on May 8th to the American Hospital Association in which he raised concerns about the ability of the FBI to combat cyber-attacks and urged cooperation with hospitals and health systems not to get patient records but “fingerprints of digital intrusion.” I note that this is the point of the work of InfraGard, a cooperative effort between industry and the FBI, and is consistent with the public proposals of the Information Sharing and Analysis Organization Standards Organization (ISAO-SO), established by executive order.  Further information regarding those efforts, in which this author is active, can be provided at sgerson@ebglaw.com.

Comey’s abrupt departure suggests that his statements may quickly become passing memories, but the cooperative tone struck is more than a little inconsistent with proposals, for example, from the Department of Health & Human Services’ Office of Civil Rights (OCR), the enforcement agency for Health Insurance Portability and Accountability Act (HIPAA) matters, and from the Federal Trade Commission (FTC), which soon may inherit enhanced powers as the Federa l Communications Commission is attempting to leave the cyber security enforcement field.  Both the Office of Human Rights and the FTC stress enforcement as the optimal mode of gaining cyber compliance.

In the coming days, you may expect further analysis by Epstein Becker Green of OCR’s developing enforcement stance and other emergent government policies in the wake of the new Executive Order.

WHEN: Thursday, February 26, 2015

TIME: 12:00pm – 1:30pm EST

To register for this webinar, please click here.

Please join us for a complimentary webinar addressing wireless health regulatory issues. This session will discuss recent trends in health technology regulation; including Food and Drug Administration (FDA) developments, Federal Communications Commission (FCC) requirements, wireless technology and communication issues, mobile applications, decision support and other Health IT challenges, and privacy and cyber security considerations.

This session is relevant to tech companies, communications companies, entrepreneurs, and developers that are entering the wireless health technologies space or considering acquiring mobile health assets.

Topics will include:

  • FDA regulations specific to mobile health information technologies
  • Key FCC regulatory and licensing requirements that mHealth innovators face
  • Privacy and cyber security considerations for the wireless health sphere
  • Insights on potential future developments from state and federal regulators affecting wireless health technologies

Moderator:

  • Robert Jarrin, Senior Director, Government Affairs, Qualcomm

Speakers:

To register for this webinar, please click here.

If you have questions regarding this event, please contact Whitney Krebs at (202) 861-0900 or wkrebs@ebglaw.com.