By Dr. Rachael Bailey, Healthcare IT Content Consultant at Atlantic.Net
As the world finds itself in the clutch of a global pandemic, it is evident that cybercriminals are using the crisis to their advantage, coming up with novel ways to target businesses at an increasingly vulnerable time for them. Indeed, the US Cybersecurity and Infrastructure Security Agency (CISA) and UK National Cyber Security Centre (NCSC) issued a joint statement declaring an increase in COVID-19-related malicious activity.
COVID-19 has brought many changes into our lives, such as social distancing and remote working, and these are likely to be a part of our ‘new normal’ for some time. Businesses and individuals must learn to adapt the way in which they work, in order to address the new cybersecurity risks that they face.
Cybercriminals Seek To Target the Healthcare Industry
With the value of patient data soaring and many healthcare organizations still using legacy systems, businesses within the healthcare vertical have become a prime target for cyberattacks during the pandemic. Compared with other industries, the healthcare sector falls behind in the deployment of new technologies, instead of relying on outdated cybersecurity infrastructure that leaves them vulnerable to malicious attacks.
Data breaches can lead to huge financial losses for the healthcare industry, as well as the consequences associated with compromised patient data. While dealing with the large-scale disruption and strain caused by COVID-19, healthcare providers have also had to face heightened cyber threats, including ransomware, malware, and phishing attacks. Cybercriminals have taken advantage of the rapid scaleup of telehealth and remote learning to wreak maximum havoc on an extremely strained healthcare system and fatigued healthcare professionals.
In response, the HHS Office for Civil Rights (OCR) has released guidance standards relating to telehealth remote communications, emphasizing its discretion at enforcing Health Insurance Portability and Accountability Act (HIPAA) violation penalties on the provision of telehealth services during the pandemic.
Following HIPAA Guidelines Is Not Sufficient
Maintaining the integrity of protected health information (PHI) is imperative and the past year has highlighted how vital it is that healthcare organizations implement and maintain effective and robust cybersecurity measures. HIPAA legislation, passed by Congress in 1996, establishes the guidelines for protecting sensitive patient data, describing the key physical, technical and administrative safeguards that an organization should have in place. Noncompliance with HIPAA regulations can lead to hefty fines and other significant consequences for Covered Entities.
HIPAA legislation contains two key rules that work in tandem to maintain the integrity of patient data – the Privacy Rule and the Security Rule. The Privacy Rule focuses on an individual’s right to protect the confidentiality of their information in any form, while the Security Rule is concerned solely with the protection of electronic PHI. This means that the Security Rule covers the implementation of effective cybersecurity measures, however, the guidance that it provides is open to interpretation.
Healthcare Entities and their Business Associates are required to abide by the necessary HIPAA guidelines to ensure regulatory compliance, however, as the cyber threat landscape rapidly evolves, compliance with established HIPAA laws may no longer be enough.
The healthcare industry is expanding at a rapid pace, and so too are the regulatory and compliance requirements. After navigating through the intricacies of HIPAA compliance, healthcare organizations may assume that their infrastructure is secure against cyberattacks, but this is simply not the case. Full HIPAA compliance does not guarantee adequate cybersecurity and further measures should not be overlooked. In order to create a safe and secure infrastructure for the collection and storage of PHI, healthcare organizations must focus on the synergistic relationship between HIPAA compliance and Cybersecurity, exploring how the two concepts can support and empower one another.
Why Does HIPAA Need Cybersecurity?
As HIPAA regulations predate emerging cybersecurity threats, we must consider how they address the risk of a data breach. HIPAA legislation does not offer healthcare providers a comprehensive plan detailing how compliance should be achieved, this means that the level of compliance can vary greatly between organizations. Without paying close attention to security risks, organizations can leave themselves vulnerable to attack.
In February 2016, the OCR published a crosswalk, connecting the HIPAA Security Rule with the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework. This document maps the overlaps between the two frameworks and as the Security Rule offers flexible and scalable guidance, aligning it with the NIST Cybersecurity Framework allows Covered Entities to identify and correct vulnerabilities in their cybersecurity. By complying with NIST’s Cybersecurity Framework and implementing the necessary HIPAA safeguards, healthcare organizations can protect themselves from even the most serious data breaches and subsequent consequences, while ensuring HIPAA compliance.
Moving forwards, the events of 2020 look set to change the way we approach data security and we can anticipate reforms being made to legislation in 2021. The HHS has already hinted change may be on the horizon for the Privacy Rule, perhaps plans for the Security Rule are also being considered.
The last major overhaul to HIPAA legislation was in 2013, with the Final Omnibus Rule. This rule introduced many of the privacy and security recommendations of HITECH. However, much has changed to the cybersecurity landscape since 2013, and the threats facing healthcare organizations today are far more advanced. Considering ransomware, the onslaught of this malware happened well after 2013. So it is conceivable why some people are calling for a major shakeup.
Looking at the healthcare technology trends, cybersecurity will remain a key focus of the healthcare industry over the coming year, as we learn from our experiences during the pandemic and look to better protect our valuable patient data, including big data analytics as this becomes more commonplace. It remains to be seen whether the OCR will take this opportunity to update HIPAA regulations, taking into account the evolution in cyberattacks that were not accounted for when the law was enacted.
About the Author
Dr. Rachael Bailey, Healthcare IT Content Consultant at Atlantic.Net.
A graduate of the University of Chester and postgraduate of the University of Liverpool, with a Ph.D. in Gastroenterology and Cell Biology and a First-class degree in Biomedical Sciences. An experienced and passionate medical writer and an expert in writing scientific documents, regulatory-related documents, and articles discussing US Healthcare and Compliance.
Rachael can be reached online at website https://www.atlantic.net/