Shelly Cheng, Ashley Fox, Beata Safari, and Maddy Want

December 22, 2020

Executive Summary

The Healthcare and Public Health (HPH) critical infrastructure sector is an important system of public and private stakeholders that faces unique challenges and needs. Its intertwining nature with other critical infrastructure sectors has the potential to wreak havoc on the well-being of individual patients and society as a whole during times of system insecurity. Under the guidance of the Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and National Institute of Standards and Technology (NIST), the HPH sector has made notable improvements in protecting its operations and service delivery through a whole-of-nation approach. However, much work remains toward building robust resilience across the sector. By building off of existing public-private partnerships, strengthening existing regulations like the Health Insurance Portability and Accountability Act (HIPAA) and the NIST Cybersecurity Framework, and setting new standards of care for medical staff digital hygiene, stakeholders in the HPH sector can make a significant improvement in the sector’s defensive cybersecurity posture. Doing so will require a well-rounded and lateral whole-of-nation approach that leverages the resources and expertise in the private sector and strengthens the governing ability of the public sector.

Scope of Work

            This paper will draw on federal policy, historical reporting data, legal doctrine, technical literature, and academic sources to assess the cyber threat landscape for the U.S. healthcare and public health critical infrastructure system and the ways a public-private partnership could enhance the response to the threat landscape in the health sector. Although medical device vulnerabilities present a significant cybersecurity risk for the sector, the scope of this paper is specific to data security systems within hospitals and their relevant vendors. It should also be acknowledged that there are a significant number of information-sharing mechanisms in place within the critical infrastructure and cybersecurity policy realms that are in some way related to the healthcare and public health critical infrastructure sector. However, the scope of this paper will focus primarily on the National Cyber Investigative Joint Task Force (NCIJTF), specifically. Moreover, while a broader national data privacy law could certainly address many of the data security issues within the HPH sector, discussion of an omnibus privacy law in the United States is out-of-scope, as well as the implementation of personal data usage laws more generally.

Background

Understanding Cyber Threats to the Healthcare and Public Health Sector

Healthcare and public health as a critical infrastructure

Critical infrastructure is any system that is essential for the functioning of a society or economy. Currently, the United States government, through Presidential Policy Directive 21 (PPD-21), identifies 16[1] critical infrastructure sectors: chemical, commercial, communications, manufacturing, dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, healthcare and public health, information technology, nuclear reactors, materials, and wastes, transportation systems, and water and wastewater systems.[2] There are three main types of threats to critical infrastructures: natural, human-caused, and accidental/technical.[3] This paper will focus on human-caused and technical threats to the healthcare and public health sector (HPH sector), specifically.

The HPH sector includes healthcare facilities, research centers, suppliers, manufacturers, insurers, and public-private information technology systems required for the use and storage of HPH data. The sector comprises six private (direct patient care, health information technology, health plans and payers, mass fatality management services, medical materials, and laboratories, blood, and pharmaceuticals) and two public (public health and federal response and program offices) subsectors (Appendix A: Figure 1).[4] Under Homeland Security Presidential Directive 7 (HSPD-7), the HHS serves as the designated “Sector-Specific Agency” tasked with protecting HPH infrastructure.[5] To this end, HHS is responsible for:

• “Collaborating with all relevant federal departments and agencies, state and local governments, and the private sector, including with key persons and entities in [the HPH] infrastructure sector;

• conduct[ing] or facilitat[ing] vulnerability assessments of the sectors; and

• encourag[ing] risk management strategies to protect against and mitigate the effects of attacks against critical infrastructure and key resources.”[6]

HHS abides by a number of governing documents in its approach to securing HPH critical infrastructure. These documents include: the NIST Cybersecurity Framework, the National Health Security Strategy and Implementation Plan, PPD-21, and Executive Order 13636. For data security, specifically, HHS follows the E-Government Act of 2002 and the Health Insurance Portability and Accountability Act (HIPAA).[7] The current public-private partnership strategy underpinning critical infrastructure governance in the United States was established by President Bill Clinton in 1998 under Presidential Decision Directive 63, with the administration noting that, “Only the private sector has the skills and abilities to manage the complex process of developing new technologies and bringing them to market, while . . . [the] government plays a vital role in enabling the private sector’s efforts.”[8]

From hospitals to medical device manufacturers, pharmaceutical companies, and insurers, a majority of the HPH critical infrastructure sector is owned and operated by the private sector. This high portion of private ownership creates an imperative for the government to create and maintain strong bonds with the private sector. As President Clinton highlighted with the passing of PDD-63, the private sector has unique resources, capabilities, and expertise that the government does not have. However, the government holds unique convening and governing powers that the private sector does not. Lateral public-private partnerships will be essential for implementing a robust whole-of-nation approach for securing HPH critical infrastructure. Later sections of this paper discuss more specifically the problems with the current top-down, government-to-private sector status quo within the HPH critical infrastructure security posture, and highlight ways to strengthen it. 

Healthcare sector cyber risks, threats, and vulnerabilities

The unique patient-focused nature of HPH paints a complicated picture for the security needs and procedures of the sector compared to other critical infrastructure. With hospitals open 24 hours a day, seven days a week, and 365 days a year to individuals from literally every walk of life, the sheer number of human vulnerability points make it physically difficult to monitor and effectively manage system security. Meanwhile, in an effort to provide the quickest and most efficient care possible to patients, providers often leave work stations unlocked, share login credentials with coworkers, or allow widespread access to vulnerable information by individuals who lack the necessary digital hygiene training. Hospitals commonly see high rates of turnover among staff or rely heavily on untrained volunteers to fill gaps, making widespread security training challenging to implement and maintain. Moreover, as healthcare professionals are tasked foremost with patient care, cybersecurity is typically an afterthought tasked solely to IT professionals, rather than part of the patient care framework.  This perception of cybersecurity as an afterthought and/or IT problem is often reflected in the administrative spending and budgets of hospitals and healthcare vendors.[9] Unlike financial information, individual patient health data cannot change and follows the patient throughout their lifetime. Because of this, a single breach in patient data can cause lifelong problems for compromised patients, depending on how the information is used.

Health care systems vary widely by size and security capability and include everything from single physician practices to large conglomerate hospital systems, public and private payers, research institutions, and medical device and software companies.[10] Today, a significant portion of health care services are provided primarily by small and/or rural hospitals that lack the necessary information security capabilities and infrastructure required for protecting against cyber attacks, creating a cybersecurity digital divide within the sector. A recent report by CynergisTek found that only 44 percent of healthcare organizations within the United States were NIST compliant, while a little over three-fourths meet HIPAA Security Rule standards.[11] Moreover, a vast majority of the 300 assessed facilities scored worse than a “C” on their conformance with NIST, with only one-third performing an annual risk assessment as dictated by the Framework. Of the assessed facilities, physicians’ groups fared the worst at only 28 percent compliance compared to 96 percent and 76 percent for assisted living and insurers, respectively.[12] The report authors noted that this disparity in compliance scores can be attributed to lack of financial investment in actual risk reduction measures, such as regular risk assessments, multi-factor authentication, privileged access management, and on-going workforce security training, despite an increased focus on information security in the healthcare sector.[13]

According to the 2020 HIMSS Cybersecurity Survey, nearly all healthcare organizations have experienced significant security incidents within the last year. Accounting for more than half of survey respondents’ security incidents, the primary threat to healthcare networks and information systems are phishing campaigns, followed by credential harvesting at 21 percent.[14] These attacks typically resulted in significant disruptions to information technology and business operations, followed by data breaches or leaks and monetary loss. Sixty-one percent of these disruptions were to non-emergency clinical care operations. It is believed that financial information is the number one target of attackers, followed by employee information and patient data, which can be harvested and sold on the dark web. Only 39 percent of respondents reported that their organizations had effective mechanisms in place to detect patient safety issues related to significant security incidents. This could be due to a lack of communication between patient care professionals and healthcare cybersecurity professionals within organizations.

With phishers reported as the top threat actor and phishing attacks consistently accounting for the highest occurrence of cyber attacks by healthcare organizations, humans present the most significant vulnerability within the HPH sector. Any individual within a healthcare organization’s system, from doctors and nurses to insurance payers and even patients, is at risk of spear-phishing, social engineering tactics, malicious links, and other phishing campaigns. Phishing is typically the first step deployed by attackers for compromising a healthcare system and almost all (89 percent) of respondents indicated that the initial point of security compromise within their organization started with an e-mail, followed by human error. To this end, 35 percent of HIMSS Cybersecurity Survey respondents indicated that the initial point of compromise in their systems was due to human error. Examples of human error include, but aren’t limited to, inserting infected USB devices, accidentally leaking sensitive patient, financial, or other proprietary information to the web or a file sharing service, and compromises when a third party repairs a device or equipment with PHI, intellectual property, or sensitive information.[15]

 However, while nearly 60 percent of respondents indicated phishers are their most prominent cyber threat, there was a 25-percentage point increase in respondents indicating that cybercriminals and other hackers present a significant threat to healthcare systems. The COVID-19 pandemic has caused some shifts in the threat landscape in terms of top threat actors. With many personnel working at home due to the pandemic, social engineering and cybercrime have taken advantage of the inability of healthcare cybersecurity professionals to fully monitor remote endpoints, especially home computers and personal devices.[16]

Existing HPH Sector Public-Private Partnership Cybersecurity Models of Note

Information-sharing organizations and structures

Information sharing is a foundational pillar of U.S. cyber strategy across critical infrastructure sectors. Through the Cybersecurity Information Sharing Act of 2015, President Barack Obama and the 114th Congress established procedures and expectations for the Departments of Homeland Security, Defense, and Justice to share pertinent cyber threat information with non-federal government entities.[17] The HPH sector participates in a number of relevant information-sharing initiatives including the Critical Infrastructure Cyber Community (C3) Voluntary Program, the Health Sector Coordinating Council (HSCC), the Cyber Health Working Group, and the Health Information Sharing and Analysis Center (H-ISAC), among others.[18] These various information-sharing organizations provide necessary pathways for the government and owner-operators to communicate and serve as a stepping stone for a robust whole-of-nation approach to cybersecurity.

The National Cyber Investigative Joint Task Force

In 2008, the White House established the National Cyber Investigative Joint Task Force (NCIJTF) by directive to coordinate, integrate, and share information related to domestic cyber-threat investigations.[19] As the lead law enforcement agency responsible for investigating cyber matters, the FBI develops and supports the NCIJTF, which includes participation from over 30 agencies across law enforcement, the intelligence community, the Department of Defense, the Department of Homeland Security, and the National Security Agency.[20]

From the beginning, the FBI and the NCIJTF had communication deficiencies, but those difficulties all but disappeared in the matter of a few years. In a report published in 2011, the Office of the Inspector General (OIG) concluded that members in the FBI and the NCIJTF “did not consistently share cyber intrusion threat information and . . . NCIJTF members were not told why they did not receive available information.”[21] To resolve this, the OIG made recommendations to alleviate complications in the sharing of information and transparency to the extent that when another audit was conducted in 2015, the OIG reported that “NCIJTF members told us that they believe interagency collaboration has increased and information has been shared freely between member agencies as necessary.”[22] This improvement exemplifies the best of the whole-of-government approach: the OIG’s recommendations were effective because the FBI and NCIJTF report to the same source of power, share common goals and mandates, and all share the same security clearance.

CyberRX resilience exercises

Since 2014, the Health Information Trust Alliance (HISTRUST), in partnership with HHS, have designed and implemented scenario-based exercise programs to assess the cybersecurity response preparedness of healthcare organizations. The second iteration, CyberRX 2.0, was jointly facilitated by Deloitte Advisory Cyber Risk Services and included more than 250 health plan organizations and insurers and an expanded tiering system based on the organization type, size, and experience level. A primary objective of this iteration was to “highlight the roles of HITRUST, HHS, and health plan industry partners before, during, and after cyber incidents” to help “identify areas for improvement for industry-wide cyber resilience.”[23]

This programming is completely voluntary and free for members of HISTRUST. Although it is in partnership with HHS, CyberRX is almost entirely designed, managed, and implemented by private sector companies. This model of partnership surrounding private sector-led resilience exercises is a good candidate for scaling to a national level across the whole HPH critical infrastructure sector.

Discussion

Problems with Current Strategy Addressing Healthcare Data Vulnerabilities

Strategy focus on voluntary information sharing

As noted in the background section, information sharing is at the heart of U.S. cyber strategy for critical infrastructure systems. While this approach has proven successful in creating a collaborative public-private partnership environment, there is still a lot left to be desired. One notable concern of the voluntary information-sharing approach is liability and the risks associated with sharing information necessary for safeguarding organizations. Currently, participation in the information-sharing ecosystem is voluntary on the part of the private sector. CISA has made significant strides in creating buy-in for the private sector, including increasing the number of non-Federal participants in the Automated Information Sharing system by more than 195 percent since 2016.[24] However, untested liability issues, particularly surrounding personal health information and violations of HIPAA, may disincentivize many HPH owner-operators from participating.[25] Moreover, while voluntary information sharing has helped improve deterrence ability and resilience across critical infrastructure sectors, more progress must be made in the process for managing what happens after an intrusion happens by denying benefits and imposing costs on malicious actors.

New challenges posed by COVID-19 pandemic

An inherent difficulty in the requirements to stay at home except in the event of a grave illness or a serious case of COVID-19 has been receiving medical attention for any illness that is not grave. This ushered in a new boom in telehealth and telemedicine services. “Telehealth” is defined in the Health Care Safety Net Amendments of 2002 as “the use of electronic information and telecommunications technologies to support long distance clinical health care, patient and professional health-related education, public health, and health administration”.[26] “Telemedicine” is defined similarly in Title 25, as “a telecommunications link to an end user through the use of eligible equipment that electronically links health professionals or patients and health professionals at separate sites in order to exchange health care information in audio, video, graphic, or other format for the purpose of providing improved health care services”.[27] It would appear, on its face, that greater use of such telehealth services would be a boon. However, many of the technologies used by professionals did comply with requirements under HIPAA, leading the HHS to issue a report that it will exercise “its enforcement discretion” not to enforce HIPAA rules against the application of telehealth services in good faith.[28] This exemption did not, however, apply to the DoJ, which has not declared that it would refrain from exercising its criminal enforcement authority.[29]

The proposed National Defense Authorization Act for fiscal year 2021 (“Proposed NDAA 2021”) demonstrates a recognition that telehealth services could be immensely beneficial to military personnel and need further evaluation. The Proposed NDAA 2021—as of this writing, presented to the President on December 11, 2020—encourages the military health system to implement telehealth and virtual health technologies using a flexible acquisition process and requires the Department of Defense to conduct a study and report on increasing telehealth services across the armed forces.[30] The study should: (1) identify and evaluate of limitations and vulnerabilities of health care and medicine capabilities with respect to telemedicine; (2) identify and evaluate essential technologies necessary to achieve goals and capabilities of telehealth and which technologies are best equipped to support sustainability; (3) develop a technology maturation roadmap to achieve effective operational telehealth usage; and (4) an analysis of existing telehealth programs that contribute to the medical readiness of military medical providers.[31]

Patchworked state laws on reporting medical data breaches

HIPAA mandates reporting of breaches that affect 500 or more individuals without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach. For breaches that affect less than 500 individuals, so long as the breach is reported within 60 days of the end of the calendar year in which the breach was discovered, that is sufficient to comply with the law, and the information regarding the breach need not be publicly accessible.[32] Unauthorized access and hacking laws exist in all 50 states, denial of service attack laws have been enacted in 26 states and ransomware or extortion laws are also on the books in approximately six states, which means there can be no clear set of instructions in the event of a medical data breach.[33] This patchwork of state laws which often have shorter timelines than 60 days has led to uncertainty among covered entities and business associates as to the appropriate timeline to follow in the event of a medical data breach.[34]

Poor digital hygiene among workers

Technology alone cannot secure healthcare organizations’ data systems. As noted in the background section, humans present the most significant risk to HPH cybersecurity. Despite undergoing years of rigorous training and qualifications in order to practice healthcare to mitigate patient care risks, medical professionals often have very little awareness of the risk that cyber intrusions present to patient care. While they are aware of HIPAA and its requirements, their official training rarely extends to specific preparation against the risks of system intrusions, patient healthcare data breaches, provider malware attacks preventing provision of services, or other cybersecurity risks unique to the healthcare industry.

This lack of awareness and formal training results in widespread poor digital hygiene among both healthcare workers and patients. When coupled with the high value of personal health information (PHI) to attackers, this creates a concerning risk vector. Practitioners who do not enforce or participate in basic digital hygiene practices like switching passwords frequently, not sharing login credentials with colleagues, ignoring system update requests, and setting realistic information expectations with patients put their patients’ privacy at risk, even resulting in death. In September 2020, a woman seeking medical care in Germany for a life-threatening condition died when the hospital was unable to take her due to a ransomware attack on their system.[35] While this is the first publicly known death as a result of a ransomware attack, it is unlikely to be the last. With the majority of cyber intrusions on healthcare organizations stemming from phishing campaigns, it is imperative that the healthcare sector strengthen digital hygiene to mitigate any future deaths.

In the “recommendations” section of this paper, there is a proposal for a new requirement for healthcare workers to undergo regular cyber hygiene training and certification to build awareness of and adherence to best practices.

Legacy systems

Medical systems and devices are some of the most complex environments for software and hardware vendors to innovate improvements, due to the long cycle times involved in provider purchase orders and budgeting, the long wait times associated with FDA approval, and the extremely high standards for safety and security demanded of any product destined for usage in a healthcare setting.

This results in problems typical to legacy products: incompatibility with newer technologies, suboptimal GUIs and user experiences, failure to leverage new efficiencies and more. This is to some degree improved by public-private partnerships, in which the R&D is done by private organizations who can more more quickly than public institutions can, but is still eventually hindered by the public sector bottleneck of FDA approval and the fact that most budgets (aka the demand for the products) are public-sector controlled.

Insufficient investment in the Medicare and Medicaid EHR system

The HITECH Act has increased focus on the importance of electronic health records (EHR) and set standards and incentives for their adoption, by requiring all providers to demonstrate meaningful use of an EHR by 2014. Providers who failed to meet this deadline faced reduced Medicare reimbursements, while providers who did meet it received financial incentives.[36]

However, this 2014 deadline is now significantly in the past, and no new programs designed to support the continued integration, maintenance, and improvement of EHR systems has been proposed. Despite the meaningful cost savings that providers who implement EHRs can reap (“a large hospital can generate an additional $37 million to $59 million in revenue over five years following an EHR implementation through length-of-stay (LOS) reduction, readmission rate reduction, emergency department (ED) revenue reimbursement, ambulatory revenue reimbursement and drug cost reduction.”[37]), adoption is still not universal, and smaller providers continue to struggle with the immense cost of adoption. Furthermore, there remains no state-wide integration of provider EHR data, which could facilitate significant advances in patient analytics, more efficient resource distribution and more. States must do more to encourage continuous improvement in EHR adoption and integration. [38]

Managing the massive volumes of patient-related data

The efficient storage and management or large volumes of data is a challenge for any organization, even more so those in the healthcare industry, where a large share of the data is personal healthcare information (PHI) protected under HIPAA and requiring more stringent security, access, and hygiene protocols.

In addition to the sensitivity of the data, the volume can also be problematic: as the network of patients a provider serves grows, so too do the records in the database. Retention periods for data are long, as patients need reliable medical histories stored for their lifetimes. As more relevant information for each patient is added, such as treatments, visits, drug prescriptions and more, the number of joined tables grows too, increasing database complexity and straining capacity, leading to issues with database backup and replication.

This can lead to challenges in efficient retrieval of data. Slow query runtimes, complex navigation of mapping tables and more can increase complexity and lower the usability of the data - resulting in “wrong diagnoses, compromise in data security, improper treatment, lapsed appointments, and failure to keep up with the changes in progress or regression of the patient’s condition, etc. The implications can be catastrophic for both doctors as well as patients.” [39]

While HIPAA does specify patient data breach reporting requirements based on the size of the provider (providers serving over 500 patients have stricter reporting requirements), many other HIPAA requirements do not share the same distinction. A small rural hospital usually faces the same obligations as Mt. Sinai Hospital does. This results in an especially burdensome regulatory environment for small providers, who have to dedicate a larger proportion of their resources than larger providers to, in order to maintain full compliance. While it is not encouraged to lower the standards related to security and privacy for any provider, it must be noted that the current state advantages larger providers who can absorb increasingly complex technical and security obligations more easily.

Recommendations

Appoint National Cyber Coordinators for Each Critical Infrastructure Sector

            In the 2020 Cyberspace Solarium Commission report, cybersecurity experts highlighted the need to reform the government to strengthen deterrence structures within U.S. cyber strategy. A main component of this government reform process was a recommendation to create a National Cyber Director and to “give existing organizations the tools they need to act with speed and agility to defend our networks and impose costs on our adversaries.”[40] This recommendation was implemented under section 1752 of the National Defense Authorization Act for Fiscal Year 2021 (NDAA). While this is a great first step in strengthening cyber deterrence structures, the creation of one overarching position may not be enough to handle the complex and competing interests of the 16 critical infrastructure sectors.

Currently, through the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Homeland Security operates the “Protective Security Advisor (PSA)” Program to engage private sector stakeholders across federal, state, local, tribal, and territorial regions to protect critical infrastructure. This program allows CISA and DHS to provide subject matter expertise, facilitate field activities, support security events, and respond to incidents across 73 districts within the United States and its territories.[41] Congress should further strengthen the oversight and information-sharing capabilities of the government by creating relevant National Cyber Coordinators for each of the 16 sectors. These individuals would report directly to the national cyber director and would be primarily responsible for overseeing and coordinating the operations of their respective sectors across the 73 PSA designated regions.

The healthcare and public health national cyber coordinator, specifically, would be responsible for working with HHS and sector owner-operators to ensure compliance with relevant regulation standards such as HIPAA and NIST, verifying regular risk assessment implementation across the sector, convening owner-operators and government officials for relevant working groups, scaling resilience exercises to the national level, identifying areas of improvement for digital hygiene standards and practices, and other relevant government-led initiatives. Lastly, to ensure streamlined cybersecurity oversight within HHS, the agency should consolidate the offices of the National Coordinator for Health Information Technology and the Health Sector Cybersecurity Coordination Center to a new bureau under the tutelage of the National HPH Cyber Coordinator. 

Create a More Lateral Public-Private Partnership Structure

As the HPH critical infrastructure sector relies heavily on private sector participation and understanding, creating a lateral public-private partnership model that improves the current top-down, government-to-operators strategy will be key. A horizontal whole-of-nation approach that leverages private sector expertise and resources while strengthening government ability will help create the trust and buy-in necessary for robust security across the sector. To achieve this, policymakers should:

Establish mandatory resilience training sessions led by the private sector

Under HIPAA, healthcare organizations are required to undergo routine risk assessment procedures, coordinated through the Office of the National Coordinator for Health Information Technology and the Office for Civil Rights.[42] CISA and HHS should strengthen this requirement by expanding it to include mandatory resilience training exercises as a component of the annual risk assessments. This can be accomplished by scaling the CyberRX program by HISTRUST, Deloitte, and HHS to a national level at a steady rate over an extended period of time. CISA and HHS can work with private sector firms to develop large-scale programs relevant to the various operators within the HPH sector starting with hospitals, clinics, and other patient-facing healthcare organizations and expanding to include insurers, pharmaceutical companies, device manufactures, etc. as the program progresses. These programs should be tailored specifically to the unique needs of healthcare organizations (i.e., protecting personal health information or securing medical devices) and provide a scoring grade, similar to restaurant health code grades, for performance after completion.

Establish a national cyber incident reporting requirement for healthcare organizations

The Cyberspace Solarium Commission recommended the passage of a national cyber incident reporting law with the intention that the DHS and DOJ would collaborate with public and private sector entities to identify the types of critical infrastructure entities to which it should apply.[43] Congress should pass a national cyber incident reporting law built into HIPAA focusing on immediate steps to take in the event of a breach leaking PHI that would preempt state laws on the same. Currently, in the event of a breach of PHI, HIPAA regulations require a business associate to notify its affiliated covered entity, and a covered entity to notify affected individuals, the media and the Secretary of HHS.[44] The new reporting law would grant the FBI prosecutorial authority and subpoena power, along with including carve-outs to shield any covered entity that voluntarily discloses medical breaches within the scope of the law.

Expand the NCIJTF to establish mechanisms for imposing costs on malicious actors

Layered cyber deterrence requires the imposition of costs on malicious actors. The U.S. prosecutes bad actors for electronic threats, electronic harassment, interception of electronic communications, spam, and disclosure of private information, among other crimes, under Title 18, the Computer Fraud and Abuse Act.[45] The past decade has proven that the NCIJTF has taken steps to secure a whole-of-government approach in which agencies work to communicate vital information to each other and collaborate. The DHS, DOJ, and HHS should work with critical infrastructure entities to create a collaborative force so that entities could share their threat profiles and that information would be filed with the Bureau of Cyber Statistics.

The Southern District of New York has proven that even when an arrest or prosecution has not been possible, indictments could still have a deterring effect by “naming and shaming” perpetrators of attacks.[46] The FBI could take that approach. The department has already been tasked with using an “algorithmic, data-driven, and objective methodology” to identify and prioritize cyber threats.[47] Additionally, the FBI will “develop and implement a record keeping system that tracks agent time utilization by threat.”[48] The FBI could share its findings with the task force and prepare a report in front of Congress advising how best to craft a new cyber incident reporting law focused on medical breaches, including particular thresholds for disclosure of PHI and security protocols. Requiring covered entities to comply with the reporting law, as above, and recommended amendments to HIPAA, as below, would meet the carrot with a stick approach, providing a mechanism for prosecuting even the most heinous of crimes, such as the cyber attack that led to a homicide in Dusseldorf.[49]

Amend Existing Policy and Legal Frameworks to Address New Challenges

Authorize usage of telehealth and telemedicine services under HIPAA

Covered entities and business associates could greatly benefit from the study and report on increasing telehealth services across armed forces conducted for the Proposed NDAA 2021. In accordance with section 756 of the bill, the Secretary of the Department of Defense is required to deliver a report to the Senate on its findings within one year of the act’s enactment.[50] Given that telehealth measures can only be expected to increase in usage over the course of the next year, any beneficial technology approaches and concepts should be offered for consideration in the next round of HIPAA amendments to ensure the perpetuation of best practices within the whole of the healthcare sector and not only across all military departments. Upon the Senate’s review of the anticipated study and report on telehealth services, it should apply those best practices in application to a new amendment to HIPAA.

Set compliance requirements according to the size and capability of healthcare organizations

HIPAA does not currently distinguish between covered entities[51] that treat thousands of patients and small private practice doctor’s offices with dozens of patients. In enforcing the law, the Office for Civil Rights has referred cases to the Department of Justice for criminal prosecution sparingly,[52] and applied civil penalties in a way that appears to have more strictly punished providers with more significant name recognition or industry clout. Creating a distinction could be useful for establishing other requirements beyond breach reporting in a way that does not unduly burden smaller providers while also mitigating the largest portion of the collective risk.

A HIPAA amendment should include provisions requiring large healthcare providers to establish, operate and provide regular transparency into a privacy program within the provider. The program’s mandate would be to develop and share privacy policies for operations, monitor the state of cybersecurity protections both technical and human, analyse and report on the greatest risks, develop and execute strategies to mitigate those risks, and strategies to sanction and remediate known non-compliance with the policies.

The Office of the National Coordinator for Health Information Technology has issued guidance[53] for healthcare providers wishing to adhere to both HIPAA’s nondisclosure and privacy requirements and also the Medicare/Medicaid EHR Incentive Program’s privacy and security requirements, which provides background information of a variety of privacy requirements and standards and can be used as the basis for development of a privacy program.

Better incorporation of latest technology into healthcare industry

Incentivizing state-level centralized EHR databases can be a good place to start. In addition, it will be helpful for the government to invest in private sectors and incentivizing hospitals and vendors to incorporate the latest technology, such as using The Cloud. Currently, small provider groups and facilities are experimenting with cloud-based EHR systems, and some larger ones are attempting to build their own private cloud. [54] In addition, bringing healthcare data to the Cloud will surely bring additional challenges to data encryption and ownership, and therefore, it’s essential for us to expand the current HIPPA’s compliance and overall security.

            In addition, the government should invest in areas which improve the overall efficiency of the healthcare sector, especially those that do not generate profits in the short run, to further strengthen this public-private partnership. For example, efficient logistics practices ensure uninterrupted healthcare services, and therefore, the government should invest in a supply management system. Mismanaged medical inventory and equipment or drug shortage will lead to inefficiencies at the doctor’s side and frustration or even danger to their health on the patients’ side.[55]

Another aspect of investment can be a data management system. Power analytics tools with an easy-to-use graphic user interface (GUI) provide not only easy and immediate access to medical professionals and accurate inventory numbers and budget allocations, but also powerful insights to the existing data. Those powerful insights have huge potential in assisting treating and preventing illness for the population. [56]

Implement digital hygiene curriculum for all users (including patients)

Like many other critical infrastructure sectors, cybersecurity risks in healthcare often arise from human error and lack of digital hygiene; the human in the loop. Due to the highly human nature of healthcare, interactions between patients, physicians, administrators and insurance providers leave open many opportunities for bad actors to take advantage of mistakes and ignorance. Therefore, the final recommendation is an amendment to HIPAA to require all healthcare providers, regardless of size of practice, to require staff to undergo digital hygiene training in order to maintain the provider’s license to practice. This should involve three main components:

• Professional certifications administered by third parties (public or private entities, such as SANS Institute’s “Healthcare Cyber Hygiene: Critical Security Controls”[57] or similar) that practitioners, administrators, and other healthcare staff must complete both one-time and on an ongoing periodic basis in order to continue practicing. The healthcare provider should be responsible for providing proof of practitioner certification upon request.

• For medical students and residents, nurses, technicians, pharmacists, and other formally educated staff within a hospital system, completion of a cyber hygiene certification should be added to the requirements needed in order to graduate and qualify to work in the healthcare field for the first time. Like currently-practicing physicians, new graduates would be required to obtain recertification at the same frequency.

• A “training of trainers” model program that equips healthcare organization leadership with the necessary tools and understanding for implementing regular digital hygiene training sessions for new staff and volunteers without having to contract out to third-party trainers. Moreover, establishing protocols for requiring trainers to periodically complete training qualifications and recertification processes to ensure proficiency that meets the needs of the current digital security environment. This could be built upon the CDC’s “Training of Trainers” model[58], which equips “master trainers” to teach trainers how to deliver meaningful educational programs for professionals.

All cyber hygiene training should involve a patient-education component. Beyond the obvious, provider-specific challenges of keeping software patches up to date, multi-factor authentication to sensitive services, and being aware of how healthcare systems are interconnected, there are also elements of risk that are specific to the patient. For example, knowing that a healthcare provider will never ask a patient to disclose or send personal health-related information over email can train patients to be aware of phishing attacks.

Improving cyber hygiene behaviors among those involved in the provision and receipt of healthcare services can be a low-cost, easy-to-implement method of considerably reducing overall risk. Although it does not replace the need for more rigorous technical protections, it is a crucial part of a holistic cybersecurity strategy in the healthcare domain.

[1] In January 2017, election security was designated a critical infrastructure sub-sector under Government Facilities, according to https://www.dhs.gov/topic/election-security.

[2] United States Cybersecurity & Infrastructure Security Agency, “Identifying Critical Infrastructure During COVID-19 | CISA,” April 2020, https://www.cisa.gov/identifying-critical-infrastructure-during-covid-19.

[3] Tal, Jonathan, “America’s Critical Infrastructure: Threats, Vulnerabilities and Solutions,” Security Info Watch, September 20, 2018, https://www.securityinfowatch.com/access-identity/access-control/article/12427447 /americas-critical-infrastructure-threats-vulnerabilities-and-solutions.

[4] Don R. Boyce et al., “Healthcare and Public Health Sector-Specific Plan” (U.S. Department of Homeland Security, May 2016), https://www.cisa.gov/sites/default/files/publications/nipp-ssp-healthcare-public-health-2015-508.pdf.

[5] “Homeland Security Presidential Directive 7: Critical Infrastructure Identification, Prioritization, and Protection,” Cybersecurity & Infrastructure Security Agency, December 17, 2003, https://www.cisa.gov/homeland-security-presidential-directive-7.

[6] “Homeland Security Presidential Directive 7: Critical Infrastructure Identification, Prioritization, and Protection.”

[7] Enacted in 1996 and amended in 2009, HIPAA covers the handling of personal health information (PHI) and medical records of patients by health plans, health care clearinghouses, and health care providers, to the extent that they conduct enumerated healthcare transactions electronically in the United States. HIPAA has best been understood in broad terms as being made up of the Privacy Rule and the Security Rule.

[8] National Science and Technology Council (U.S.)., Technology in the National Interest., 87 p. ([Washington, D.C.]: NSTC Committee on Civilian Industrial Technology, 1996), //catalog.hathitrust.org/Record/003112507.

[9] Emery Csulk and Theresa Meadows, “Report on Improving Cybersecurity in the Health Care Industry” (Health Care Industry Cyber Security Task Force, June 2017), https://www.phe.gov/preparedness/planning/cybertf/ documents/report2017.pdf.

[10] Csulk and Meadows, “Report on Improving Cybersecurity in the Health Care Industry.”

[11] HealthITSecurity, “Just 44% of Healthcare Providers Meet NIST Cybersecurity Standards,” HealthITSecurity, September 23, 2020, https://healthitsecurity.com/news/just-44-of-healthcare-providers-meet-nist-cybersecurity -standards.

[12] HealthITSecurity, “Just 44% of Healthcare Providers Meet NIST Cybersecurity Standards.”

[13] HealthITSecurity.

[14] “2020 HIMSS Cybersecurity Survey,” Survey Report (HIMSS, November 16, 2020), https://www.himss.org/sites/hde/files/media/file/2020/11/16/2020_himss_cybersecurity_survey_final.pdf.

[15] “2020 HIMSS Cybersecurity Survey.”

[16] “2020 HIMSS Cybersecurity Survey.”

[17] Non-governmental entities include private companies, state, local, and tribal governments, the public, and other entities under threat.

[18] More information on the myriad information-sharing organizations available to the HPH sector can be found on the Health Industry Cybersecurity-Matrix of Information Sharing Organizations (HIC-MISO): https://healthsectorcouncil.org/hic-miso/.

[19] National Security Presidential Directive 54/Homeland Security Presidential Directive 23 (2008); Michael Kraft, Edward Marks. U. S. Government Counterterrorism: A Guide to Who Does What. CRC Press. 173–74 (2012).

[20] National Cyber Investigative Joint Task Force, Fed. Bureau Inv., U.S. Dep’t Just., https://www.fbi.gov/investigate/cyber/national-cyber-investigative-joint-task-force (last visited November 7, 2020); Michael Kraft, Edward Marks. U. S. Government Counterterrorism: A Guide to Who Does What. CRC Press. 173–74 (2012).

[21] Audit of the Federal Bureau of Investigation’s Implementation of Its Next-Generation Cyber Initiative, Off. Inspector General, U.S. Dep’t Just., at 6–7 (July 2015), https://oig.justice.gov/reports/2015/a1529.pdf.

[22] Audit of the Federal Bureau of Investigation’s Implementation of Its Next-Generation Cyber Initiative, Off. Inspector General, U.S. Dep’t Just., at 7 (July 2015), https://oig.justice.gov/reports/2015/a1529.pdf.

[23] “CyberRX: Health Plans Cyber Simulation Exercise | After-Action Report,” Deloitte United States, December 2015, https://www2.deloitte.com/us/en/pages/center-for-board-effectiveness/articles/cyberrx-health-plans-cyber-simulation-exercise.html.

[24] “CISA’s Still Overcoming Challenges 5 Years after Cybersecurity Information Sharing Act Became Law,” Federal News Network, October 6, 2020, https://federalnewsnetwork.com/reporters-notebook-jason-miller/2020/10/cisas-still-overcoming-challenges-5-years-after-cybersecurity-information-sharing-act-became-law/.

[25] Eddie Schwartz, “CISA: A Good Start, but Challenges Remain on Security Information Sharing,” TechBeacon, accessed December 22, 2020, https://techbeacon.com/security/cisa-good-start-challenges-remain-security-information-sharing.

[26] 42 U.S.C. § 254c-16(a)(4) (2003).

[27] 25 U.S.C. § 1603(23) (2010).

[28] “Medicare Telemedicine Health Care Provider Fact Sheet,” Centers for Medicare and Medicaid Services, March 17, 2020, https://www.cms.gov/newsroom/fact-sheets/medicare-telemedicine-health-care-provider-fact-sheet.

[29] Linebaugh, C., “HIPAA, Telehealth, and COVID-19,” HeinOnline, https://heinonline-org.prx.law.columbia.edu/HOL/P?h=hein.crs/govdazx0001&i=4.

[30] “What Does Federal Health Look Like in 2021?”, FedHealthIT, August 27, 2020, https://www.fedhealthit.com/2020/08/what-does-federal-health-look-like-in-2021/.

[31] U.S. Congress, House, National Defense Authorization Act for Fiscal Year 2021, HR 6395, 116th Cong., introduced in House March 26, 2020, https://www.congress.gov/116/bills/hr6395/BILLS-116hr6395enr.pdf.

[32] 45 C.F.R. §§ 164.406, 164.408 (2013).

[33] “Security Breach Notification Laws,” National Conference of State Legislatures, July 17, 2020, https://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx.

[34] Hewitt, C., “Creating a Healthcare Security Incident Reporting Process”, Xtelligent Healthcare Media, LLC, July 10, 2017, https://healthitsecurity.com/news/creating-a-healthcare-security-incident-reporting-process.

[35] Melissa Eddy and Nicole Perlroth, “Cyber Attack Suspected in German Woman’s Death,” The New York Times, Sept. 18, 2020. https://www.nytimes.com/2020/09/18/world/europe/cyber-attack-germany-ransomeware-death.html

[36] Zach Urbina, “Top 12 Health Information Technology Issues - Healthcare IT ConnectHealthcare IT Connect,” Healthcare IT Connect, May 15, 2013, http://www.healthcareitconnect.com/list-top-12-health-information-tech nology-issues/.

[37]  AMIT MANCHANDA , “7 Problems Which Healthcare Technology Can Solve for a Healthier World,” Insights - Web and Mobile Development Services and Solutions, February 3, 2020, https://www.netsolutions.com/insights/5 -healthcare-problems-which-digital-technologies-can-solve-for-a-fit-and-healthy-world/.

[38] Ibid.

[39] Ibid.

[40] Angus King and Mike Gallagher, “Cyberspace Solarium Commission Report” (U.S. Cyberspace Solarium Commission, March 2020), https://www.solarium.gov/report.

[41] “Protective Security Advisor Program Fact Sheet,” Cybersecurity & Infrastructure Security Agency, March 19, 2020, https://www.cisa.gov/sites/default/files/publications/CISA%20Fact%20Sheet%20-%20PSA%20Program %20-%20508c_IAA%20Final.19MAR2020.pdf.

[42] Office for Civil Rights (OCR), “Guidance on Risk Analysis,” Text, HHS.gov, July 14, 2010, https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html.

[43] Angus King and Mike Gallagher, “Cyberspace Solarium Commission Report”, U.S. Cyberspace Solarium Commission, March 2020, at § 5.2.2, https://www.solarium.gov/report.

[44] 45 C.F.R. §§ 164.404–164.410 (2013).

[45] “Prosecuting Computer Crimes”, Office of Legal Education Executive Office for United States Attorneys, January 14, 2015, https://www.justice.gov/sites/default/files/criminal-ccips/legacy/2015/01/14/ccmanual.pdf.

[46] “Prosecuting Cyber Crime: An Overlooked Part of Bharara’s Legacy,” Mayer Brown, June 5, 2017, https://www.mayerbrown.com/en/news/2017/06/prosecuting-cyber-crime-an-overlooked-part-of-bhar.

[47] “Justice Department’s Role in Cyber Incident Response,” Congressional Research Serv., at 9, December 18, 2020, https://www.everycrsreport.com/files/2020-12-18_R44926_37d80a33bd376a94f0c005a0faa66ed425f00cf1.pdf.

[48] Ibid.

[49] “Prosecutors open homicide case after cyber-attack on German hospital,” The Guardian, September 18, 2020, https://www.theguardian.com/technology/2020/sep/18/prosecutors-open-homicide-case-after-cyber-attack-on-german-hospital#:~:text=Prosecutors%20open%20homicide%20case%20after%20cyber%2Dattack%20on%20German%20hospital,-This%20article%20is&text=German%20prosecutors%20have%20opened%20a,out%20by%20a%20cyber%2Dattack.

[50] U.S. House of Representatives, National Defense Authorization Act for Fiscal Year 2021, HR 6395, 116th Cong., introduced in House March 26, 2020, https://www.congress.gov/116/bills/hr6395/BILLS-116hr6395enr.pdf.

[51] “Covered entity” includes healthcare providers, plans and clearinghouses. “Business associate” includes billing companies, collection agencies, record management companies, and any others who process PHI on behalf of the covered entities. If a “business associate” receives PHI directly from or on behalf of a person/entity not subject to HIPAA, that is not covered by HIPAA.

[52] As of November 30, 2020, out of 250,367 HIPAA complaints, OCR only made 985 referrals to the DOJ for the knowing disclosure or obtaining of protected health information. “Enforcement Highlights”, U.S. Dep’t of Health & Human Services, December 15, 2020, https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html.

[53] “Guide to Privacy and Security of Electronic Health Information .” Office of the National Coordinator for Health Information Technology, April 2015, https://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security -guide.pdf

[54] AMIT MANCHANDA , “7 Problems Which Healthcare Technology Can Solve for a Healthier World,” Insights - Web and Mobile Development Services and Solutions, February 3, 2020, https://www.netsolutions.com/insights/ 5-healthcare-problems-which-digital-technologies-can-solve-for-a-fit-and-healthy-world/.

[55] Ibid.

[56] Ibid.

[57] Tarala, James & Kelli. SANS Institute. Sans.org. Accessed December 20, 2020. https://www.sans.org/course/for-himss-implementing-healthcare-cyber-hygiene-with-the-critical-security-controls.

[58] “Understanding the Training of Trainers Model.” Centers for Disease Control and Prevention. Centers for Disease Control and Prevention, March 13, 2019. https://www.cdc.gov/healthyschools/tths/train_trainers_model.htm.