Cybersecurity in a Highly Regulated Industry
The Healthcare Leadership Council hosted a webinar entitled, “Cybersecurity Playbook for Healthcare,” in conjunction with the Confidentiality Coalition. The discussion brought clarity to the current federal infrastructure around cybersecurity, existing tensions around breach notifications in the healthcare industry, and recommendations to improve cybersecurity practices within and beyond healthcare. Four speakers joined the panel:
- Marilyn Zigmund Luke, Vice President, AHIP
- Alicia Bowers, Senior Vice President and Enterprise Chief Privacy and Compliance Officer, Atrium Health (now part of Advocate Health)
- Todd Greene, Vice President & Enterprise Chief Information Security Officer, Atrium Health
- Allison Miller, Global Chief Information Security Officer and Senior Vice President for Optum, a division of UnitedHealth Group
The healthcare system is one of 17 national critical infrastructures. As cybersecurity stretches across federal agencies, money is allocated to various agencies to maintain cybersecurity capabilities. Within the U.S. Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency (CISA), was established to receive reports from critical infrastructure sectors. The public is awaiting future regulations from CISA of how to proceed with that reporting process. The Healthcare and Public Health Sector Coordinating Council Cybersecurity Working Group identifies and mitigates systemic risks that affect patient safety, security, privacy, and national confidence in the health system.
The Problem with Breach Notifications
As healthcare is a highly regulated industry, organizations who comply with one law run the risk of violating another law because the federal agencies and states have not adequately communicated with each other regarding the larger operational impact of what they are trying to accomplish. There are unintended consequences to conflicting laws, and the burden of reporting a breach is significant. The panel noted the juxtaposition of portability and security of data, as tension arises between becoming increasingly transparent and connected while protecting patient privacy and securing data.
Breach notification requires contacting both patients and the media. Patients who receive these notifications are either confused or desensitized by the mass mailings, and are generally not concerned unless their social security number was compromised. Media outlets generally go for the more sensational headline and stories are frequently reported inaccurately. Often, the primary organization is named in the breach even though the actual breach involved a business associate or vendor. It has become clear that the majority of patients take no action after a notification, and media coverage actually helps cyber criminals and plaintiff attorneys target an organization that has just been victimized. Healthcare entities are spending more resources on class action defense rather than proactive measures due to the punitive ramifications of how breach notifications are designed.
The majority of breaches are not due to negligence, and the compromised entities are victims of a crime. The “Wall of Shame”, posted by the U.S. Department of Health & Services Office for Civil Rights, should come down. There is stigma associated with this and the primary organization is listed even if a vendor was breached. Healthcare is a complex industry, and multiple vendors are required to fulfill all the responsibilities that come with delivering care. Vendors should be held directly responsible, and other sectors should have the same reporting standards as healthcare.
Reduce the administrative burden and use an exclusive reporting route instead of involving multiple agencies. Avoiding creating duplicative processes and tearing down commodity channels would allow sectors to effectively communicate valuable information about cyber threats and defend against them collaboratively in a timely fashion. An additional approach to reducing the burden of unnecessary notifications is to redefine what is considered protected health information, as routinely disclosed data is easily found online outside of healthcare.