“PROTECT THE MOST VULNERABLE AT THEIR MOST VULNERABLE TIMES” 

By Jim Ford, Founder and CEO, PatientLock®

The piece published by NPR today (Sept. 17, 2024) states “the rise in cyberattacks on healthcare systems,  particularly ransomware attacks, demands the federal government to prioritize cybersecurity and patient  information protection similarly to its approach with electronic health records (EHRs) through the HITECH  Act. Given my unique background of having gone from the “EMR world” into the “healthcare cybersecurity  and compliance world,” this is something I think about a lot, and closely parallels conversations we have  internally at PatientLock, with clients, prospects, and industry counterparts. 

Healthcare is now the most targeted industry for ransomware attacks, with 249 healthcare institutions  affected in 2023 alone. These attacks paralyze services, disrupt patient care, and compromise sensitive  patient data. The HITECH Act, enacted in 2009, was a catalyst in the “digitization of healthcare” by  incentivizing the adoption of EHRs and implementing standards for data sharing and privacy. Similarly,  federal mandates and incentives focused on healthcare cybersecurity could ensure that institutions adopt  necessary protections. This would require a shift from the current voluntary, self-regulatory framework to  a more structured, incentivized approach that holds healthcare entities accountable for cybersecurity  measures.” 

I’ve been talking for years about what I’ve seen as the need for a “Meaningful Use” like approach to  mandating the adoption and attestation of correctly configured safeguards designed to protect patient data  and healthcare businesses. 

Think about it. Why would you mandate and subsidize the creation of a massive, interconnected, and digital  ecosystem without immediately following it up with required safety controls? The HITECH Act created the  massive EHR boom we saw take off in 2009 and created massive amounts of what we call attack surface (points of entry and vulnerabilities an attacker can exploit) without backing it up with stringent requirements  to protect the data contained within it. That data (ePHI) is some of the most valuable and potentially  damaging in the world. The HIPAA Security Rule and HITECH Act were designed, in part, to protect ePHI,  but in the expert eyes of security practitioners they are diluted and subjective “administrative frameworks”  versus a true “cybersecurity framework” like NIST CSF, HITRUST, etc. (We encourage all our prospects  and clients to adhere to the NIST CSF and “satisfy HIPAA along the way”, for context.) 

Healthcare executives and policymakers argue that the current federal response is underfunded and overly  focused on hospitals, neglecting other crucial parts of the healthcare ecosystem like suppliers and  contractors. Adherence to a comprehensive cybersecurity framework like HITRUST or NIST CSF, coupled  with “Meaningful Use” for cyber attestation would address those vulnerabilities by ensuring that  cybersecurity practices are enforced throughout the entire healthcare infrastructure. 

Ultimately, just as the HITECH Act helped healthcare organizations transition into the digital age, a similar  federal effort for cybersecurity is crucial to protect patient information and maintain trust in the healthcare  system. Without this focus, the healthcare sector remains highly vulnerable to increasingly sophisticated  cyber threats.