HHS Must Take Immediate Action to Improve Cybersecurity at Large Healthcare Organizations
Senate Finance Committee chair, Senator Ron Wyden (D-OR) wrote to Department of Health and Human Services (HHS) Secretary Xavier Becerra this week calling for immediate action against large healthcare companies to ensure they improve their cybersecurity practices. “The current epidemic of successful cyberattacks against the health care sector is a direct result of HHS’s failure to appropriately regulate and oversee this industry,” said Sen. Wyden.
This year has seen major cyberattacks on large healthcare organizations including Change Healthcare and Ascension that have caused massive disruption to healthcare services across the United States. The attacks have disrupted patient care and caused actual harm to patients, and a huge amount of highly sensitive patient data has been stolen and is now in the hands of cybercriminals putting them at risk of identity theft and fraud.
Senator Ron Wyden (D-OR)
Change Healthcare, part of UnitedHealth Group (UHG), is the largest healthcare company in the United States, yet a hacker gained access to its internal network due to lax cybersecurity practices. The hacker used stolen credentials for initial access, and the credentials alone were sufficient to breach the network as multi-factor authentication (MFA) had not been implemented on the server. The failure to implement MFA on an internet-accessible server is a serious cybersecurity failure for a healthcare organization of any size, let alone the largest healthcare organization in the United States.
MFA is considered to be a basic cybersecurity measure; however, MFA is not a required cybersecurity measure under HIPAA, and many other standard cybersecurity practices are not specified in the HIPAA Security Rule. The HIPAA Security Rule was enacted more than 2 decades ago and was intended to be technology agnostic to ensure it stays relevant when there are changes in technology. The consequence is that the HHS relies on self-regulation and the adoption of voluntary cybersecurity practices. While that approach benefits smaller healthcare organizations that lack the funds to invest in cybersecurity, it is not appropriate for large healthcare organizations.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
“It is clear that HHS’ current approach to healthcare cybersecurity — self-regulation and voluntary best practices — is woefully inadequate and has left the health care system vulnerable to criminals and foreign government hackers,” wrote Sen Wyden. “HHS must follow the lead of other federal regulators in mandating cybersecurity best practices necessary to protect the health care sector from further, devastating, easily-preventable cyberattacks.”
The HHS has proposed voluntary cybersecurity performance goals for hospitals and plans to propose an update to the HIPAA Security Rule later this year – the first major update since 2003. Given the extent to which healthcare organizations are being targeted by cybercriminals and the impact cyberattacks are having on patient care, more needs to be done. Sen. Wyden has made several recommendations to help create a robust and resilient healthcare system and better protect sensitive patient data and believes that there should be stricter cybersecurity requirements for systematically important entities (SIEs) such as healthcare clearinghouses and large health systems.
Sen. Wyden said the HHS should develop minimum cybersecurity standards for SIEs and those standards must be enforced. They should include safeguards for electronic protected health information and standards for ensuring resilience to cyberattacks and business continuity in the event of a successful attack. The ransomware attack on Change Healthcare resulted in critical systems being out of action for several weeks, resulting in prolonged disruption for healthcare providers across the country.
Sen Wyden requested standards be created to ensure that access to medical records is maintained along with other critical functions for providing medical care and supporting community health. SIEs should be able to completely rebuild their information technology infrastructure from scratch within 48-72 hours, and the HHS should stress test SIEs to ensure that they can meet those requirements. “It is not acceptable for an SIE like Change Healthcare to be down for more than 6 weeks,” said Sen. Wyden.
Earlier this year, Office for Civil Rights Director Melanie Fontes Rainer confirmed that the HHS has resurrected its HIPAA audit program. The HITECH Act requires the HHS to conduct regular audits of HIPAA-regulated entities to assess compliance with the HIPAA Rules; however, the HHS has only conducted two HIPAA audit programs, with the last audits conducted in 2017. The failure to conduct regular audits is due to a lack of resources, as OCR’s budget has remained flat while its workload has increased considerably. Now that the audit program is recommencing, Sen. Wyden has urged the HHS to prioritize audits of SIEs.
While attacks on SIEs have the greatest impact, cybersecurity must be improved at healthcare organizations of all sizes. Smaller healthcare organizations with low resources would benefit from technical assistance and guidance. Sen. Wyden has called for the HHS to leverage the Centers for Medicare & Medicaid Services (CMS)’s Quality Improvement Organizations and Medicare Learning Network programs to provide that assistance and guidance and help those organizations improve cybersecurity.
