Secure, vigilant, and resilient: three pillars of health care cyber risk protection
by Mark Ford, principal, Deloitte & Touche LLP
It is prime time for health care hackers. With the advent of big data and a sharp rise in the amount of health care data being collected, stored, and exchanged, opportunities to steal sensitive information and wreak serious damage across the health care spectrum are escalating.
In September 2013, the Health Insurance Portability and Accountability Act (HIPAA) Omnibus Final Rule came into effect. Among other provisions, it strengthens regulatory protections of patient information; increases penalties for breaches; and places greater emphasis on covered entities, making sure business partners, associates, or other third-party vendors are doing all they can to protect sensitive information. Regulatory rules are the primary means by which our government attempts to get the attention of commercial business. Regulations are very important; however, they are not enough to address the rapidly changing and increasingly sophisticated threats the health care industry is facing. It’s time to see beyond compliance.
What’s especially troubling is the relative ease with which health data is stolen or compromised, even if an organization is ”HIPAA compliant.” In many cases, the industry’s cyber risk exposure can be attributed to lack of focus, commitment, and sufficient resources. Too few health care enterprises can detect and prevent cyber-attacks before they occur. They are then forced to respond only after the threat has taken root, making a meaningful response to a breach that much more challenging.
Since HIPAA’s Breach Notification Rule was published in 2009, more than 800 large-scale breaches, defined as those affecting 500 or more individuals, have been reported. They include disclosures of protected health information (PHI) and denial of patient access to PHI.1
If a major insurer suffers a massive breach, it’s a pretty good bet it won’t be the third-party business partner responsible for it whose failure is splashed across the front page. When crisis hits, public sentiment doesn’t distinguish between contractual responsibilities – the party with the highest profile usually takes the hit. Can that same payer rely on a “business associate agreement” to keep their name out of the newspaper? I doubt it.
So, health industry leaders are understandably anxious and unsettled about cyber security. Recently, I attended a health care CIO conference. The theme was health information exchanges, and nearly all of the questions these leaders asked touched on security – how their data could be more safely managed and how protection systems can be reactive and preventative.
One way to think about how to defend from evolving cyber risks is to understand the various types of threats health industry leaders face. Let’s take a look at three main types of threat actors:
Of these three, the classic hacker is typically the most common and of paramount concern to leaders in the health care and life sciences industries. To defend against the classic hacker and the other categories of threats, you need an approach that takes into account the nature of the threat.
A comprehensive use of real-time (or near-real-time) “threat intelligence” informs the most effective multi-tiered approach, and is embodied in three key operational buckets – security, vigilance, and resilience. Each is an essential pillar in the development of a comprehensive strategy. Health care leadership should make sure that controls are put in place at every critical step of system development. Operational deployment is even more important — not after the fact, and not only when a disruptive attack has occurred.
Many strategies deployed in health care have not adequately addressed cyber-threat risk, likely because their focus has been primarily on compliance. Data breaches have become more targeted in recent years. Those who commit intentional breaches have become more sophisticated. Many companies are struggling to understand how their protections need to be adaptive to today’s evolving threats. Hackers are always adapting to exploit vulnerabilities. The health care sectors have shown mixed results in keeping up.
Of the three major health care sectors, life sciences companies tend to have invested the most in cyber security and are considered to be the most prepared and most forward-thinking. Their products and services carry enormous value (such as the intellectual property of a new drug), and their industry is highly competitive. They are often better equipped to understand and address potentially catastrophic cyber-attacks. They arguably have the most at stake and tend to apply more resources to meet the challenge.
Providers are motivated largely by compliance. Ask most hospital officials what they’re doing about cyber risk and they’ll often frame it only in terms of how they’re meeting HIPAA requirements. They have a significant amount of sensitive data at stake (such as PHI) and by comparison, few resources to protect it. In this highly vulnerable environment, that could spell trouble.There’s no easy remedy, no silver bullet that will end cyber-attacks once and for all. Data protection will only become more challenging in the years ahead. Employing the right tactics is important and essential. Steady regulatory compliance and investing in additional resources including people, processes, and the latest in technology, are all necessary steps. However, these tactics are only as good as the strategy that guides them. When addressing the pervasiveness of cyber risk, it is essential that your strategy be secure, vigilant, and resilient.
Mark Ford is a principal in Deloitte’s Cyber Risk Services practice and serves as the lead for the Life Sciences & Health Care industry. In this role, Mark has consulted with more than 60 health care organizations incorporating the Health Insurance Portability and Accountability Act of 1996 (HIPAA)/Health Information Technology for Economic and Clinical Health (HITECH) rules, implementing new electronic medical records and/or applying for meaningful-use certification. Before taking on the health care leadership role, Mark established Deloitte’s Identity & Access Management (IAM) practice and led the service line for approximately 10 years. The IAM practice is recognized as the largest IAM consulting practice in the world.
1Department of Health and Human Services, Office of Civil Rights, Health Information Privacy, Breach Notification Rule: Breaches Affecting 500 or More Individuals. Accessed via http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html