At a basic level, the health care sector is a human-focused business with highly advanced technologies and a public expectation to drive innovation — often within stringent resources. Despite a tremendous amount of endpoints and advanced technologies, providers must protect themselves using The Health Insurance Portability and Accountability Act Security Rule.
The trouble is the rule has just 42 controls compared with the NIST Cybersecurity Framework standard employed by the vast majority of industries — except health care.
“NIST has all of the controls that [an entity] might need or consider, and it’s kept up to date. As things changed, as wireless came along, new NIST guidelines for each one of these elements were produced. The rule stays relevant and current,” explained CynergisTek CEO Mac McMillan.
HIPAA discussions began nearly 30 years ago in the 1980s, and a draft rule emerged in 1993, he explained. What finally came out of the Department of Health and Human Services in 2003, after 10 years of discussion, was a “watered down standard.”
The HIPAA Security Rule primarily focused on the controls necessary to achieve privacy because that was HHS’ prime focus. The original rule and requirements had just 42 elements, compared with NIST with 300 controls routinely reviewed by researchers. And while the sector has moved away from the checkbox-compliance security method, HIPAA remains the bar for security measurements despite its shortcomings.
“You realize very quickly that [HIPAA] can’t possibly be an inclusive standard,” said McMillan. What’s more, HIPAA is broadly written and “incredibly flexible, which is what they intended so that organizations could define it how they felt, needed, or wanted to fit their environment.”
“So as long as they had those 42 controls covered, they were compliant,” he added.
Today, control testing is much more complex than it was in 1999 or 2001. But 20 years later, this is the same rule dictating security compliance for the sector, said McMillan. “So much has changed both with technologies and cybersecurity, as well as data processes and collection.”
When the rule was enacted, there were no cell phones, no iPads, no connected medical devices, no wireless devices, no cloud.
“You can go on about the changes that have occurred since 2001 to where we are today — to where there’s no way in hell that the HIPAA Security Rule is in any way shape, form, or fashion adequate for health care users to base their security. It’s just not viable anymore,” he said.
Addressing HIPAA’s shortcomings
The security gaps in HIPAA can be seen in a number of required controls, such as evaluations. HIPAA defines the component as ”technical and non-technical testing of security controls.” McMillan said non-technical testing of controls is typically called an audit. Testing of technical controls referred to conducting a scan, which is “basically testing the technical control itself to make sure it’s enabled and functioning.”
But the rule never said that.
“HIPAA never said how often to do it, or what depth, so anyone could define it anyway they wanted to,” said McMillan. “So there were some organizations who would do an annual pen test or annual scan, and they basically met the requirement. Yet, everybody in the community recognized that it was hardly adequate for a mature program.”
Some industry stakeholders, including consultancies and other supportive groups, quickly made the realization that the proposed controls weren’t enough several years after HIPAA’s release and began requiring the NIST framework as the standard for their clients “because it’s a complete framework.”
By forcing organizations to use NIST in their evaluations of hospitals, the message from CynergisTek (and others) was clear: “we’re going to evaluate you against the standard that will enable you to build a program able to become more resilient to threats.”
As McMillan sees, HHS must then take on the same approach and just adopt NIST as the required, standard cybersecurity framework to hold all health care delivery organizations and their relevant business associates accountable.
HHS has previously requested comment on changes to the HIPAA rule, given stakeholders’ concern that the outdated rule was indeed not enough to secure the health care environment. But those proposed changes focused more on ongoing interoperability and info-blocking initiatives in play at the agency.
Instead of trying to reinvent the wheel or fix the current rules in place, McMillan believes HHS just needs to recognize “the world has turned a few times since 2001, and we have a different environment today.” And instead, HHS should adopt the NIST framework, which “is the same framework everyone else has adopted already.”
Will HHS heed stakeholder calls?
Industry stakeholders have long noted that the HIPAA rule is outdated and overdue for an overhaul to reflect modern tech and threats. Health apps and patient privacy concerns have been a top reason for this push: the majority of these platforms routinely share health data with third parties without user consent.
However, health apps aren’t regulated by HIPAA.
The major security gap recently sparked the Federal Trade Commission to resurrect a 10-year-old health data breach notification rule to address the issue and crackdown on app developers employing dubious data-sharing practices.
Will the FTC move and the continued network disruptions force HHS to take the next step to mandate NIST?
“I’m very skeptical with respect to HHS and their willingness to be prescriptive. I think their approach will always be to try to be self compliance, if you will,” said McMillan. “The thing that I hope will change is the HIPAA Security Rule.”
Past efforts to modify the rule have fallen flat for a number of reasons. McMillan noted there was an “incredibly strong lobbying effort on the part of health care to avoid a prescriptive regulation” in the years that followed the enactment of HIPAA.
Essentially, many of these groups didn’t want the government to tell them they had to meet this framework. Because, for the most part, “most of them knew they weren’t meeting it, and it was going to cost them a lot of money to meet those standards,” he explained. “That’s what it really comes down to: if they have to meet this, they have to invest.”
When it was just data they were losing, many didn’t see the value in investing in deeper security, as “very few providers were actually held accountable for data breaches. And even when they did get held accountable, the penalty for it was small enough that it outweighed the compliance costs for adhering to NIST rather than HIPAA,” McMillan added.
“No hospital ever went out of business because they had a breach, and patients didn't stop going to their doctors. People just got irritated at it. There was some public embarrassment for a couple of weeks when the announcement would come out in the magazines or whatever. But then it went away,” said McMillan. “There was no lasting impact to a breach.”
Fortunately, it appears that outdated mentality may have shifted since the emergence of all the ransomware and disruptive attacks of today. Breach recovery costs combined with today’s threat landscape may cause the tide to turn.
Health systems that have had the bad luck to fall victim to disruptive attacks are already seeing the importance of applying strong controls to their environment. The ongoing focus on patient safety risks and the impact on patient morbidity will also help to fuel this needed shift.
The shift and pressure to adopt NIST will continue as disruptive attacks continue to proliferate, alongside the ongoing impact to patient care and with “more people dying as a result of this.” For McMillan, that’s what’s going to drive this change to a more rigorous standard: “when it starts costing more and when people start getting hurt.”
Consider the amount an organization spends when they’ve had a major issue, with breach notices that reference the widespread implementation of multi-factor authentication, or even rebuilding hundreds of computers on the network that were damaged by ransomware.
As hospital budgets continue to be constrained due to the pandemic, adoption of new security measures and tools could be a challenge. But McMillan believes the risk of outages and related losses actually stress the importance of making the shift to NIST requirements more than ever before.
Not only that, but as occupancy rates in hospitals continue to soar, it will become harder to find a place to divert patients in the event of a cyberattack-related network outage. To be frank, “it's more important today to have better security than it ever was. Because when a hospital gets impacted today, it affects everybody. And it absolutely puts patient safety at risk.”
In health care and with typical government regulation changes, nothing is ever that simple. However, McMillan made one final argument for the ease in which HHS could take HIPAA away as the sector’s security standard.
“The agency has the authority to review all rules, at least on an annual basis,” he explained. “All they would have to do, is say ‘We’ve reviewed the HIPAA Security Rule and determined it’s no longer adequate for today’s needs.’ And then recommend it be replaced with the NIST cybersecurity framework as the standard, then publish it in the Federal Register.”
Then, industry stakeholders would have 90 days to comment, and then changes can be made, said McMillan. “That’s how simple. But it takes someone with enough vision, intentional fortitude, and leadership in Washington to do that.”
For now, McMillan has hopes that industry stakeholder groups like HIMSS, The College of Healthcare Information Management Executives, and the American Hospital Association, to take on the charge of replacing HIPAA with NIST.