Healthcare Cybersecurity Trends: Strong Programs, Proven Compliance, and Risk Mitigation

In the ever-evolving healthcare regulatory landscape, where the importance of patient information cannot be overstated, the need for robust cybersecurity measures has become paramount. In a recent webinar hosted by Katz, Sapper & Miller, experts delved into crucial aspects of healthcare cybersecurity trends, focusing on building strong programs, ensuring compliance, and mitigating risks. The discussion was led by Ben Phillips, director of IT Risk Advisory at KSM; Aaron Pritz, CEO and co-founder of RevealRisk; and Corey Brennan, an attorney specializing in information privacy and security at Taft.

Ben Phillips kicked off the discussion by presenting key findings from the “2023 Data Breach Investigations Report” by Verizon. The report analyzed 16,000 incidents, revealing that 5,199 of them were confirmed data breaches. Notable insights included:

• The median cost of a ransomware payment was $26,000.
• 95% of incidents resulted in losses ranging from $1 million to $2.5 million.
• 74% of breaches involved a human element, indicating internal decisions contributing to the breaches.
• 97% of breaches were financially motivated, while 3% were driven by espionage.
• In healthcare, system intrusions and web application attacks were the top patterns of breaches.
• Threat actors were 66% external and 35% internal.
• The compromised data included personal information, medical information, and credentials.

Building and Maturing a Strong Cyber Program

Aaron Pritz acknowledged the challenges faced by healthcare leaders when implementing effective cybersecurity programs. He emphasized the need to simplify and focus efforts, aligning cybersecurity initiatives with three key factors:

1. Understanding business risks: Identifying areas where the organization is most vulnerable.
2. Analyzing the threat landscape: Utilizing threat-related data and collaborating within the industry.
3. Evaluating the current state versus the future: Aligning program goals with business plans.

Additionally, healthcare organizations should prioritize their efforts using the “CIA” framework — confidentiality, integrity, and availability — and focus 80% of their efforts on the top 20% of critical areas.

And don’t forget about the human factor – i.e., workforce training. A CISO at a Fortune 500 pharmaceutical client of Pritz’s said, “People think they are protected by IT security and technology. And while tools help with detection and some prevention, most situations start with a human.” Thus, it’s important to not just think about the tools that can be purchased but what processes enable a workforce to be a critical layer of defense.

Proven Compliance With Assurance Reports

Ben Phillips delved into how assurance reports are utilized to demonstrate compliance with security and privacy requirements.

In the healthcare industry, SOC reports (particularly SOC 2) and HITRUST certifications stand out as prominent compliance options. SOC reports, issued by CPA firms, provide independent opinions on controls and processes, fostering transparency and trust among clients and stakeholders. SOC 2 specifically focuses on a service organization’s controls and processes, offering both type 1 and type 2 reports covering design, implementation, and operating effectiveness of controls.

On the other hand, HITRUST, a healthcare-specific framework, goes beyond the traditional boundaries. Unlike SOC, HITRUST is a certification program owned by the HITRUST organization, introducing a more prescriptive approach to controls. It aligns with healthcare-related regulations like HIPAA, providing a tailored solution for the unique needs of healthcare organizations.

The key distinction between SOC 2 and HITRUST lies in certification: SOC 2 provides a framework to report on and provides an auditor’s report, while HITRUST offers a formal certification. As organizations navigate regulatory requirements, understanding the nuances of these compliance frameworks becomes paramount.

Navigating Regulatory Requirements and Legal Consequences

Corey Brennan addressed the legal implications and consequences of data breaches in healthcare and acknowledged the challenges of the regulatory landscape in the United States.

Various privacy laws govern healthcare entities: While the HIPAA rules are well-known, the often-overlooked Federal Trade Commission (FTC) health breach notification rule is also applicable to certain healthcare entities. The patchwork of state and federal reporting requirements further complicates compliance efforts.

Legal implications loom large for organizations facing breaches, so the significance of conducting risk analysis and implementing management plans cannot be overstated. The average resolution amount under HIPAA can be substantial, with investigations revealing lapses in administrative safeguards rather than the breach incident itself.

The evolving focus of the FTC on health privacy was underscored by recent enforcement actions, signaling a heightened scrutiny of third-party tracking technologies in healthcare. Consent, transparency, and adherence to privacy policies are emerging as focal points, particularly for businesses handling health data.

Beyond regulatory scrutiny, healthcare providers can face multifaceted claims, ranging from invasion of privacy to breach of fiduciary duty, underlining the need for robust cybersecurity measures and transparent communication. Effective legal response strategies, involving early engagement of legal counsel, incident response plan rehearsals, and collaboration with IT forensic analysts, are crucial components in mitigating the fallout.

What’s Next?

As healthcare organizations navigate the intricate landscape of cybersecurity and regulatory compliance, the takeaway is clear: Implementing these best practices is imperative to safeguarding patient information and maintaining trust in the industry. Contact us today to learn more.