Should Healthcare Cybersecurity Regulations Be Mandatory?

Should Healthcare Cybersecurity Regulations Be Mandatory?

We simply can’t say this enough: Every company is a target today when it comes to cyberattacks―regardless of size, revenue and industry. However, the healthcare industry has quickly become an especially auspicious target for cyber criminals as it continues to become more dependent on technology to enhance the delivery of care, automate services and digitize data.    

With hospitals cumulatively representing approximately $250 billion in rated debt―with much of that risk tied to the need for data access and sensitivity of that information―they are prime targets for cyber criminals, given the mass collections of confidential medical records, Social Security numbers, and insurance data, according to a recent Moody’s Investor Service report. For the healthcare industry, in particular, cyberattacks are alarming because they not only threaten the security of systems, networks and information, but can also directly impact the health and safety of patients.

As a result of the growing cyber threats, the U.S. Department of Health and Human Services (HHS) released voluntary healthcare cybersecurity guidance at the end of 2018 to help medical-related organizations strengthen their security measures―part of the broader Cybersecurity Act of 2015. The goal of the guidance is to promote awareness, provide best practices, and move every organization within the industry toward more consistent strategies and tactics to mitigate cybersecurity threats.

Cyber Criminals Do Not Discriminate Between Doctor and Hospital

It is ill-conceived for those who own a medical practice or run a small-to-medium-sized service organization to think that cyberattacks only happen at large hospitals and health systems. As we’ve said previously, cyber criminals do not discriminate and can negatively impact healthcare organizations of every size and specialization―from small, solo practitioners to large, multi-hospital health systems.

It’s a problem of epidemic proportions when you consider these stats:

Hackers have found multiple ways to monetize illegally obtained healthcare data, from cybercriminals selling personal data on the black market to enable Medicare fraud and identity theft to the more sinister gathering of foreign intelligence by bad-actor countries. Ransomware attacks, too, have recently tormented the healthcare industry, in some cases directly interrupting patient care

We in the security industry wonder why it took so long to roll out this guidance. The threats aren’t disappearing. In fact, they’re only increasing and becoming more and more sophisticated with each attack. Perhaps, a more pointed question would be: Why not make these types of healthcare cybersecurity regulations mandatory?

It’s true that healthcare providers are directed by the Healthcare Information Portability and Accountability Act (HIPAA) to protect patients’ health information. Healthcare organizations must be able to demonstrate HIPAA compliance in order to avoid fines as well as potential legal action in the event of a breach. While HIPPA is widely considered the primary regulation in the industry, there have been other guidelines and policies recently introduced, such as the Internet of Medical Things Resilience Partnership Act and the Medical Device Cybersecurity Act of 2017.

It All Begins with Access

Effective cybersecurity within the healthcare industry is a shared responsibility between providers and their employees as well as each one of their business, technology and service partners―even their patients.

It all begins with preventing unauthorized access to networks, systems, and sensitive data. Information is crucial as we continue to develop innovative new ways to deliver healthcare more efficiently and effectively, so we must ensure every step possible is taken to protect it―mandated or not.