Federal Cybersecurity Efforts Seek to Improve Protection of Health Data

Healthcare data breaches affect millions of people every year, and it’s a growing problem. Medical records include financial and personal information that hackers can sell on the dark web and use for various other nefarious purposes. In 2022, healthcare organizations in the United States suffered an average of 1,410 weekly cyberattacks per organization—an 86 percent increase compared to 2021. As an industry, healthcare consistently has the highest number of data compromises, and the number of healthcare data breaches continues to increase each year.

“Healthcare data has a lot of value, and as an industry, there’s also a lot of legacy systems that may not be secure,” says Charles Hale, PMP, CISM, founder and president of Hale Consulting Solutions, a firm that specializes in healthcare cybersecurity, privacy compliance, and project management. “That’s a bad combination when it comes to cybersecurity.”

The rise in data breaches has prompted the federal government to step up its efforts to improve healthcare cybersecurity, most recently through its Digital Health Security (DIGIHEALS) project. The project aims to protect the US healthcare system’s electronic infrastructure by identifying proven technologies for national security and applying them to civilian health systems, clinical care facilities, and personal health devices. The goal is to ensure patients continue to receive care in the wake of widespread cyberattacks on today’s medical facilities.

The Advanced Research Projects Agency for Health (ARPA-H), a division of the Department of Health and Human Services (HHS), announced the project in August and sought proposals for technology solutions. In September, the agency awarded $50 million to fund six projects by companies and universities including the University of California San Diego and Arizona State University. The projects seek to advance technologies that address vulnerabilities in securing health care data, such as automated medical device patching, ransomware intervention, cyber reasoning techniques, and electronic health record consolidation, according to the agency.

Making Strides to Stop Cyber Theft

The federal initiatives are sending a signal to cyber thieves: Healthcare cybersecurity is a top priority, and it’s time to get creative with solutions.

“The country’s national defense sector is often at the forefront of data security innovation,” says Andrew Carney, ARPA-H program manager. “Through DIGIHEALS, ARPA-H aims to work with these innovators and focus on advances in security protocols, vulnerability detections, and automatic patching to reduce the ability of bad actors to attack digital health software and to prevent large-scale cyberattacks. In addition to addressing cybersecurity vulnerabilities, the project aims to identify and fix software-related weaknesses that affect the well-functioning of hospitals.”

The project, which acknowledges shortcomings in off-the-shelf software tools in detecting emerging cyber threats, comes on the coattails of similar federal efforts announced in July to improve healthcare cybersecurity, including the announcement of a National Cybersecurity Strategy Implementation Plan and National Cyber Workforce and Education Strategy. The cybersecurity implementation plan seeks to strengthen the nation’s digital ecosystem through policy, public-private collaboration, and data steward accountability. The workforce strategy focuses on developing cyber skills needed in the workforce and society.

Among other recent federal efforts to improve cybersecurity, the National Institute of Standards and Technology (NIST) in August published the NIST Cybersecurity Framework 2.0, which focuses on cybersecurity governance, risk management, and third-party considerations. The NIST framework is a set of cybersecurity best practices and recommendations to help health information (HI) professionals improve their management of cybersecurity risk. Public comments on the updated framework are due November 4.

In September, the Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) announced the release of version 3.4 of the Security Risk Assessment (SRA) Tool. The tool helps HI professionals better track risk remediation efforts, understand key cybersecurity terminology, and more.

“We need more help in the healthcare arena, and the federal government is recognizing that,” Hale says. “Hackers are more strategic in their approach. We’re seeing more coordinated large ransomware groups and advanced persistent threats targeting healthcare. We’re also seeing breaches through third-party vendors. In one case, it was through the company that set up the smart TVs in the hospital. There are so many ways to get into a hospital’s work.”

Errol Weiss, chief security officer at the Health Information Sharing and Analysis Center (H-ISAC), says he’s not surprised the federal government is getting more involved in healthcare cybersecurity. H-ISAC is a global, non-profit organization that offers a forum for sharing cyber threat intelligence and best practices.

“It’s just not about patient safety. It’s also about public safety and even national security,” says Weiss, who spoke about cyber threats to healthcare organizations at the AHIMA23 Conference on Oct. 9 in Baltimore. His session will be presented on Oct. 27 during the AHIMA23 Virtual Conference. “When things start to go wrong locally, there could be a domino effect. When a hospital is impacted by ransomware, it defers patients to another hospital. When that second hospital becomes overwhelmed, it defers to a third hospital and so on. The issue starts impacting a larger area.”

Weiss says he hopes innovations that come from the DIGIHEALS project will include self-healing network technology that would detect and fix problems such as an outdated security patch. This technology can help take the burden off existing information technology (IT) staff, particularly in small, rural hospitals that are sometimes most vulnerable to cyberattacks, he says.

“I’ll be interested to see what comes out of the DIGIHEALs project,” Weiss says. “Big companies can afford to throw all kinds of money at this type of technology. Can we get to the point where it’s a much more affordable commercial product—something that small organizations can afford on their own? I guess that’s the idea here—to commercialize advanced technology.”

The Role of HI Professionals in Cybersecurity

Technology is only part of the answer to combating data breaches. Experts say a cyber-savvy workforce is equally as important, and HI professionals play a critical role by forming strategic partnerships, promoting cybersecurity training, and implementing cybersecurity best practices.

HI professionals’ efforts can work together with federal initiatives to help strengthen protections of health data from cyber threats.

Healthcare organizations need skilled HI professionals leading the charge to improve cybersecurity, says Kelly McLendon, RHIA, CHPS, senior vice president of compliance and regulatory affairs at CompliancePro Solutions, a company that provides security and privacy risk analysis, training, and consulting services to healthcare organizations and others. “They need to be at the forefront of leading training on cybersecurity and be an active participant in their organization’s cybersecurity strategy.”

Staying on top of regulatory changes is paramount, Hale says, adding that HI professionals who understand complex cybersecurity regulations can help identify ways to implement requirements at the operational level. “We need people who understand the industry to come forward and say, ‘Here’s the best way to do it.’ ”

For example, HI professionals can make sure health IT professionals understand and implement technical specifications of the 405(d) practices of the Cybersecurity Act of 2015.

“Many organizations don’t even know about 405(d) and its benefits,” says McLendon. “OCR said if you adopt a recognized security practice for 12 months, it will give enforcement discretion on the [Health Insurance Portability and Accountability Act of 1996] security rule. It’s a huge carrot for organizations to adopt the 405(d) practices. It could potentially save an organization millions of dollars in fines.”

It’s also important for HI professionals to help build a culture of security with a focus on keeping internal IT systems up to date and ensuring third-party vendors do the same.

“Not a week goes by that you don’t see emergency patches from Microsoft or Google,” Hale says. “We are still in this mindset as an industry that we do our monthly patching and that’s enough, but it’s not anymore. If a patch comes out for a vulnerability, cybercriminals have reverse engineered that patch and know how to use that vulnerability within a week. If you don’t patch it for a month, you’ve been hacked.”

Weiss says HI professionals can help healthcare organizations think more broadly about cybersecurity. “You can’t just put a firewall in place. There are so many ways to get to the network,” he says. “Look at all the cloud service providers out there. There's no neat perimeter anymore. It’s more than just protecting that single point of connection to the internet. Organizations can’t think that way anymore.”

Shifting the organizational mindset requires partnership between the chief information security officer and business leaders like HI professionals, say Hale. “Historically, cybersecurity was considered an IT problem,” he says. “While there are IT solutions, it’s really a business problem. Business leaders need to engage IT right upfront before purchasing and implementing any type of technology.”

HI professionals also can help develop comprehensive downtime procedures. “A hacking incident could go on for weeks or months, and it’s extremely important to address this in a downtime plan,” McLendon says.

Cybersecurity threats are always evolving, and HI professionals must be ready to respond with training, input, and cybersecurity best practices.   

“We’ve moved on from the idea of preventing every attack from happening to basically accepting the fact that we know we’re going to be attacked,” Weiss says. “We know attackers are going to be successful. Let’s put our focus on early detection. How soon can we know there has been an incident? And then likewise, how quickly can we respond and remediate?”

He says the DIGISHEALS project and similar federal efforts are a step in the right direction. But in the meantime, organizations—particularly small, rural hospitals—need more immediate solutions to protect information.

“The federal efforts are a great long-term investment. But we’ve got to focus on today,” Weiss says. “Organizations are underfunded and under-resourced when it comes to cyber security. They need more resources. They need more help to protect their networks.”

Lisa A. Eramo, MA, is a freelance healthcare writer based in Cranston, RI.