“PROTECT THE MOST VULNERABLE AT THEIR MOST VULNERABLE TIMES”
By Jim Ford, Founder and CEO, PatientLock®
The piece published by NPR today (Sept. 17, 2024) states “the rise in cyberattacks on healthcare systems, particularly ransomware attacks, demands the federal government to prioritize cybersecurity and patient information protection similarly to its approach with electronic health records (EHRs) through the HITECH Act. Given my unique background of having gone from the “EMR world” into the “healthcare cybersecurity and compliance world,” this is something I think about a lot, and closely parallels conversations we have internally at PatientLock, with clients, prospects, and industry counterparts.
Healthcare is now the most targeted industry for ransomware attacks, with 249 healthcare institutions affected in 2023 alone. These attacks paralyze services, disrupt patient care, and compromise sensitive patient data. The HITECH Act, enacted in 2009, was a catalyst in the “digitization of healthcare” by incentivizing the adoption of EHRs and implementing standards for data sharing and privacy. Similarly, federal mandates and incentives focused on healthcare cybersecurity could ensure that institutions adopt necessary protections. This would require a shift from the current voluntary, self-regulatory framework to a more structured, incentivized approach that holds healthcare entities accountable for cybersecurity measures.”
I’ve been talking for years about what I’ve seen as the need for a “Meaningful Use” like approach to mandating the adoption and attestation of correctly configured safeguards designed to protect patient data and healthcare businesses.
Think about it. Why would you mandate and subsidize the creation of a massive, interconnected, and digital ecosystem without immediately following it up with required safety controls? The HITECH Act created the massive EHR boom we saw take off in 2009 and created massive amounts of what we call attack surface (points of entry and vulnerabilities an attacker can exploit) without backing it up with stringent requirements to protect the data contained within it. That data (ePHI) is some of the most valuable and potentially damaging in the world. The HIPAA Security Rule and HITECH Act were designed, in part, to protect ePHI, but in the expert eyes of security practitioners they are diluted and subjective “administrative frameworks” versus a true “cybersecurity framework” like NIST CSF, HITRUST, etc. (We encourage all our prospects and clients to adhere to the NIST CSF and “satisfy HIPAA along the way”, for context.)
Healthcare executives and policymakers argue that the current federal response is underfunded and overly focused on hospitals, neglecting other crucial parts of the healthcare ecosystem like suppliers and contractors. Adherence to a comprehensive cybersecurity framework like HITRUST or NIST CSF, coupled with “Meaningful Use” for cyber attestation would address those vulnerabilities by ensuring that cybersecurity practices are enforced throughout the entire healthcare infrastructure.
Ultimately, just as the HITECH Act helped healthcare organizations transition into the digital age, a similar federal effort for cybersecurity is crucial to protect patient information and maintain trust in the healthcare system. Without this focus, the healthcare sector remains highly vulnerable to increasingly sophisticated cyber threats.