Over the last few weeks, public outcry has reached its pinnacle, with long-term healthcare cyber advocates like Sen. Mark Warner, D-Va., proposing legislation to incentivize the sector for implementing security measures, while the Department of Health and Human Services Office for Civil Rights (OCR) launched an investigation into Change Healthcare and United Healthcare Group.
The regulatory agencies will focus on whether protected health information was compromised and whether Change Healthcare and UnitedHealth Group are in compliance with the Health Insurance Portability and Accountability Act (HIPAA). OCR has also noted it’s interested in entities that have partnered with Change Healthcare and UnitedHealth.
As the media coverage quiets down around the Change Healthcare ransomware case, the fallout continues for the impacted providers and patients. The public and even the entities themselves may not know the full cost or impact for several months, if at all.
Similar instances and critical infrastructure disruptions in other industries have led to widespread changes. From the Target hack in 2013, to the Colonial Pipeline and SolarWinds incidents in 2021, massive impacts led to sweeping regulations and even Executive Orders to remedy systemic issues.
However, while the Change Healthcare outage has garnered a tremendous amount of attention, the incident represents just the latest in escalating disruptions and patient safety impacts the health sector has experienced regularly over the last eight years.
Each outage, beginning with the start of targeted ransomware attacks against healthcare in 2016, from the payroll outages after a cyberattack on Kroll just last year, leads to public outcry and healthcare entities saying: “This will be the defining moment.” But there’s still no change in resources, despite HHS, OCR, lawmakers, Congress, private researchers, and a host of others, all working to secure the resources and funding necessary to make real change.
What’s different this time around is that everyone's paying attention, not just those in healthcare saying, it’s the defining moment. Because indeed, this is a defining moment, when patients have to check into a hospital to get lifesaving medications and can’t pay out of pocket because their insurance providers are unavailable.
Sen. Warner yet again has taken on the mantel with his legislation, following his 2021 policy proposal that outlined in exact detail just what it will take to move the needle on healthcare cybersecurity. HHS issued its cyber performance goals (CPGs) and even the proposed federal budget suggests that mandated security measures will be forthcoming within the next five years.
Talk to CIOs or CISOs right now, even in a large organization, they all want regulation to have some level of certainty. People hate the unknown. There are lobbying groups pushing for no regulation, but those doing the work on the ground in healthcare support better regulation and clarity because there’s so much unknown in healthcare policy.
As it stands under HIPAA, the existing healthcare privacy and security regulation, when something goes wrong it’s unclear how much they will be punished. Even the current guidelines aren't black and white. OCR audits into reported security incidents can take years to for findings and enforcement action to occur.
All healthcare has right now, from a regulatory authority point of view, is a stick. It’s been the only cause of action in healthcare since HIPAA was enacted in 2009. But those mandatory, punitive-based measures have done nothing to enhance the current state of healthcare cybersecurity maturity across the sector.
Awareness is high, but it’s not across the board. There’s certainly those in healthcare that have done their due diligence and implemented best practices used in other industries, such as NIST. However, HIPAA stands as the current requirement for cybersecurity in healthcare: a 15-year-old regulation with just 42 security controls and centered around patient data.
In contrast, the NIST CSF has hundreds of controls that are routinely updated based on how the threat landscape evolves. HIPAA has since added the HITECH Act, but there’s universal awareness that the healthcare privacy and security regulation is not enough to defend against the current state of threats. When we take into consideration the consistency of highly targeted cyberattacks against healthcare organizations, it’s painfully clear that the current state is untenable.
Historically, massive cyberattacks against healthcare are met with a flurry of public outcry and then the next shiny object occurs and then it’s forgotten. But healthcare entities and supporting groups continue to take on the role as educators and supporters, waiting for help.
So what will it take for the industry to change its focus? Look at the financial services industry, it took a big stick, or a massive fine and regulatory action by the Securities and Exchange Commission that said: follow these specific guidelines or don’t do business in banking. In healthcare, that’s simply not the case.
Impacted healthcare entities disclose little information about an incident and there are no policies in place that require specificity in disclosures. While it’s important to have threat sharing in all sectors, when it happens in healthcare, it’s behind closed doors.
The Change Healthcare incident will not change healthcare – not unless policy changes and the narrative gets shifted to embrace understanding of our critical weaknesses and encourage threat sharing. Without this change, threat actors will continue to target our weaknesses and find success. Expect the next incident to be even more devastating.
Toby Gouker, chief security officer, First Health Advisory
