Last month, the U.S Department of Health and Human Service’s Office for Civil Rights reported (https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity-newsletter-first-quarter-2022/index.html) the bad news. The number of cybersecurity breeches involving healthcare entities that impacted 500 or more individuals due to hacking or IT incidents increased 45 percent from 2019 to 2020.
Furthermore, “although some attacks may be sophisticated and exploit previously unknown vulnerabilities (i.e., zero-day attack), most cyber-attacks could be prevented or substantially mitigated if HIPAA covered entities and business associates implemented HIPAA Security Rule requirements to address the most common types of attacks, such as phishing emails, exploitation of known vulnerabilities, and weak authentication protocols.”
This was not news to Randy Steinle, the CEO of Austin-based Cyber Trust Alliance, whose company is on the front lines of this battle, where it is working to protect hundreds of hospitals in the state of Texas. We recently visited with Steinle to get his perspective on the challenges faced by the healthcare industry in this area.
Question: Why do hackers target healthcare?
Answer: It’s really tied to the value of the data in healthcare. When you look at a healthcare record, it contains so much rich information about an individual that it’s incredibly valuable on the black market. You’ve got financial data, their birthdate, typically social security numbers, and then anything having to do with the Although some attacks may be sophisticated and exploit previously unknown vulnerabilities (i.e., zero-day attack), most cyber-attacks could be prevented or substantially mitigated if HIPAA covered entities and business associates (“regulated entities”) implemented HIPAA Security Rule requirements to address the most common types of attacks, such as phishing emails, exploitation of known vulnerabilities, and weak authentication protocols.
When you look at the marketplace, the experts have attempted to evaluate how much a breached medical record is worth and what we’ve seen is the cost to a practice can be as much as $400 to $430 per record.
Now that includes fines and penalties and, and other remediation efforts that come with it. But some studies have suggested it can cost the individual person as much as $20,000 out of pocket if their medical records are stolen and are used to abuse their identity. From that standpoint, it’s really the richness of that information and what can be done with it. That’s so far beyond any other record, like a credit card or banking information, where it’s limited just to a specific account.
Question: Why has the industry had so much difficulty addressing this?
Answer: There are lots of opinions on that. When the federal government mandated a move from paper records, which we had done for hundreds of years, to electronic medical records, the intent was great. So, my medical records could follow me around the world. I could see my doctor in Austin, Texas, or I could also be on vacation in California and see a doctor while there. And they could easily access my medical records because they’re all electronic. The problem was that we jumped into that without thinking through all the details regarding security and privacy issues.
We looked more at the availability of that information and the exchange of that information and not the protection and ensuring that only the right people could see it. The other aspect of that is HIPAA is a federal privacy law. But the federal government also allows each state to put privacy laws in place as well. They do have to meet the minimum standards of HIPAA, but they can add additional things on top of that. You look across the country, there are arguably 50 different privacy laws, each of them very sensitive because of what they protect.
The lack of education on what’s required and what’s necessary has become somewhat overwhelming. The fact that it’s so overwhelming and expensive to do something about it means a lot of people have hoped for the best, and not taken all the appropriate steps. A lot of the smaller providers that make up most of the healthcare industry just can’t keep up with it. This has put them in a tough spot.
Question: Why has Cyber Trust Alliance been able to address this?
Answer: What we found as we looked at the healthcare industry is that most facilities in healthcare are small and mid-sized businesses. A single doctor in an office, a group of doctors, a clinic, rural and community hospitals. The big hospitals make up a small percentage of the overall facilities out there. What we found over the years is that HIPAA was created to be a somewhat flexible standard so that it could apply to different sized facilities. Yet, when the standards came out and a lot of the compliance programs were created, they were designed with the large enterprise systems in mind, because that’s where there’s lots of money.
We found that the smaller and middle market providers are really left behind and don’t have a lot of options. On the high end, you see lots of consultants, who are really expensive. We’re focused on the smaller providers, where you have people wearing five or six different hats, and really don’t have time or the expertise to become a cybersecurity specialist. We saw the smaller market as an opportunity, given the demand for a lower cost. Many of the smaller market solutions today are “TurboTax-style” solutions where you do your own assessment, and you fill out all your own data. But again, you have to have the time and inclination to take that on. So, we specifically designed our solutions to meet that demand, but where our experts who’ve done hundreds and hundreds of assessments have figured out a way to do this virtually so that clients don’t have to and we can scale to meet the demand.
Question: What are the trends that you’re seeing among hackers that concern you?
Answer: The last two or three years have really accelerated things, which is painful for the market. It’s huge challenge for folks in our industry. But it’s also bringing some attention, which I think is a positive thing. With the pandemic, the feds had to change some of the laws so that everyone could communicate effectively and take on the challenges of COVID. How do we share information to get ahead of this? Well, that required some changes in the HIPAA laws, which is a big deal.
It has created some gaps that have made some extra challenges. On top of that, hackers have taken advantage of that whole situation. Some of the COVID databases and online forums where you can find out information have been hacked. You also look at things like the war in the Ukraine. Hackers feed on chaos. And because healthcare is less prepared than lots of other industries, and has rich data, it is an obvious target.
It is a perfect storm for health care, the industry as a whole is under attack. What’s more, the fact that 60% of healthcare really hasn’t taken the minimum steps around HIPAA compliance, it’s not surprising that hackers are launching campaigns on a regular basis. We’re really in a lot of trouble. If you look at the recent Office of Civil Rights newsletter, the director painted a pretty scary picture – talking about the 45 million patient records that were breached in 2020 alone. She also said that these problems could be completely avoided or significantly mitigated if people would just implement the HIPAA security rules in their practice.
Question: What can other industries learn from what’s happened in healthcare? It sounds like to me that maybe by tailoring solutions for SMBs would be a good step, like what you guys have done.
Answer: That’s a great point. What we have found is that healthcare is not alone in this challenge. There are lots of SMB’s out there and they all face regulatory challenges that are amplified by lack of resources and funds. And like in healthcare there’s misinformation, a lack of training, and a lack of good solutions for those businesses. Working together across industries is really important. Healthcare is the place to start because there’s such a huge need. It’s our personal health information, which is a big deal. So many people are being impacted, so that’s why we chose healthcare.
I also think healthcare could learn from other industries. Banking, for example, has taken some good strides in the right direction around security, which we could learn from. The defense contracting industry is another one as they are coming out with some new standards right now. Everybody’s trying to protect data. Everybody’s dealing with the same challenges.
The more we can share information, share the struggles, share successful technologies and solutions, and protocols that are working, the better. There’s a lot to be learned, instead of reinventing the wheel on a case-by-case basis. We really need to do something affordable and achievable for the smaller markets.