Two surgeons looking at screen showing need to amend HITECT Act for healthcare sector

The Pandemic Affecting the Healthcare Sector – A Call for Amending the HITECH Act

The threat of cyberattacks has grown in every industry since COVID-19 was declared a pandemic in March 2020. The sectors that feature the highest density of personal data have the most increased risks. One such sector is the healthcare industry, which typically stores protected health information (PHI). PHI includes personally identifiable information (PII), which is perhaps why both the magnitude and intensity of cyberattacks are growing in this sector. Healthcare is situated at the forefront of all industries that suffer losses from cyberattacks, which typically costs $7 million per breach—a step above the global average. The American healthcare industry is expected to invest about $65 billion from 2017 to 2021 in cybersecurity products and services. More can be done to safeguard this sector from the looming threat of the financial, reputational, and operational risks of cyberattacks. There is a considerable impact on the psychosocial health of patients and their caregivers, as well as an overall affront to federal HIPAA Act and HITECH Act mandates enacted to protect patients.

The ongoing COVID-19 pandemic has further aggravated the situation as global healthcare systems struggle to cope with healthcare staff and the unprecedented demands for resources. The shift toward remote work for some healthcare staff and storing data in cloud services contributes further to the risk of data breaches. Many healthcare employees who are now working from home are not informed about safety and security guidelines. Organizations that are not set up for large portions of their workforce to telework have had to implement ad-hoc solutions in order to maintain their business operations. It’s no wonder IBM has reported an astonishing 6,000% rise in spam attacks on its IT systems, many of which are operated in the healthcare sector. During the pandemic, malware has been planted through several types of e-mails, most of them sporting taglines that lure healthcare professionals by proclaiming the availability of protective gear for COVID-19 and even first-in-line access to vaccines. These e-mails have also impacted government employees who have been scrambling to find the necessary PPE for frontline workers. There are even allegations of hackers looking for inside information on the progress of vaccine trials.

The healthcare industry’s response to cyberattacks is a case of too little, too late. It cannot be denied that public health resources are stretched. Nevertheless, incidents such as the attack on the U.S. Department of Health and Human Services (HHS) and a Maryland-based elderly nursing institution continue to occur despite a declaration by some bad actors that there will be no more breaches to healthcare. Data from breaches can be used to secure access to prescriptions, fuel ransomware demands, file fraudulent insurance claims, and build fake identities. According to the HHS, there have been 306 breaches of PHI so far this year, which has affected 10.8 million individuals. The top points of vulnerability that invited these breaches were employee e-mails and network servers. That aligns with the Positive Technologies Q1 2020 report that the top three attack methods in the healthcare industry are social engineering, malware, and compromised credentials. A comprehensive cybersecurity policy that caters to the healthcare industry’s greatest needs can mitigate cyberattacks and data breaches.

With the threat of cyberattacks on the healthcare sector increasing during the COVID-19 pandemic, individual organizations need governmental support and guidance. The Cybersecurity and Infrastructure Security Agency can perform this role, but better clarity and attention from decision-makers are required. Until then, an amendment should be made to the HITECH Act to mandate healthcare organizations to set standards for their own cyber policies and take specific measures to safeguard patients’ data. In its present form, the HITECH Act outlines the Office of the National Coordinator’s (ONC) responsibilities, advocates the adoption and meaningful utilization of health information technology, and evaluates the privacy and security concerns regarding the electronic transmission of health information. However, guidelines on securing this data are not adequately addressed in this legislation; exemplified by the 10.8 million affected by breaches only this year. What is lacking in this legislation is a “routine updating” on methodology and a focus on creating specific cybersecurity policies that will mitigate cyberattacks and data breaches. The inclusion of comprehensive cybersecurity policy into the Act will establish better standards for healthcare institutions to follow, especially during the present COVID-19 pandemic.

Since we are unaware of how long the pandemic might last, the amendment can request healthcare organizations to design and implement a comprehensive cyberpolicy to include policies for current COVID-19 implications. These policies should outline expectations for everyone with access to the organization’s data and devices, internally or remotely. During and even after the pandemic, prominent elements that will provide protection are a telework policy that includes guidance on data retention, an Internet use policy that includes Internet access restrictions and limitations, controls for bringing your own device (BYOD), and a password policy that includes two-factor authentication (2FA).

A telework policy would identify specific ways to safeguard information and data. This policy should include initial information assurance awareness training. It should outline expectations that employees need to understand and comply with their facility’s or department’s policy and security protocols for accessing healthcare systems remotely. The policy should also require that employees protect files, correspondence, and job equipment. According to HHS, 49% of ransomware attacks this year originated from phishing or spam e-mails. An Internet use policy restricts access to ransomware points such as e-mail and social media. If an employee happens to click on a phishing URL and accesses a fake web page, 2FA can lessen the chance of compromised credentials. For phishing attacks, facilities should set a shorter session period and require employees to verify their credentials before regaining access. These requirements should be combined holistically with other security-strengthening measures such as improving network segmentation among resource groups or virtual LANs (VLANs) and implementing stricter access control among these groups. Finally, there should be a plan in place to limit, quarantine, or remediate BYOD endpoints if the organization deems their use acceptable.

Cybersecurity protection is already a multi-billion-dollar industry that will see a further jump in the COVID-ridden world. Average demands for ransomware have grown to several million per instance. The bad actors will continue to invest their best resources to find chinks in the armor of all policies. Quantum computers that can decrypt all existing encryptions are expected to be developed soon. Therefore, the defense against cyberattacks must evolve in sophistication along with the adversaries. With specific guidance from an amended HITECH Act to include a comprehensive cyber policy, the healthcare industry will better secure patients’ data. The healthcare workforce is already exposed to and experienced in following extensive policies and procedures. Providing a detailed, stepwise policy that establishes individual responsibilities and roadmaps for actions can go a long way toward making the entire workforce aware, prepared, and vigilant.