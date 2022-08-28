“They’re fish in water…They were given the enforcement role under HIPAA, but were not given the resources to support that role,” said Mac McMillan, CEO of CynergisTek, a Texas company that helps healthcare organizations improve. of their cybersecurity.

Due to its tight budget, the Civil Rights Bureau has fewer investigators than many local police departments, dealing with more than a hundred cases at a time. The office had a budget of $38 million in 2022 — the cost of about 20 MRI machines that could cost $1 million to $3 million a pop.

Another problem is that the agency relies on the cooperation of the victims, the institutions targeted by hackers, to provide evidence of the crimes. Those victims may sometimes be reluctant to report breaches, as HHS could then accuse them of violating HIPAA and impose fines in addition to the costs incurred as a result of the breach and the ransom often demanded by the hackers.

Depending on the circumstances, it may seem like you are blaming the victim, especially since the hackers are sometimes funded or controlled by foreign governments. And it raises questions about whether the US government should do more to protect health organizations.

In a letter dated 11 august to HHS Secretary Xavier Becerra, Senator Angus King (I-Maine), and Representative Mike Gallagher (R-Wis.), former co-chairs of a cybersecurity committee investigating the threat, raised that point and questioned the “lack of robust and timely sharing of actionable threat intelligence with industry partners.”

‘A stronger hammer’

The magnitude of the threat is enormous and the consequences of breaches are serious. According to a survey from 2021 According to the Healthcare Information and Management Systems Society, more than two-thirds of healthcare facilities had experienced a “major” incident — most commonly phishing or ransomware attacks — in the previous year.

These episodes can have significant financial implications and can threaten the lives of patients. A recent report from cybersecurity firm Cynerio and the Ponemon Institute, a cybersecurity research center, found that about 1 in 4 cyberattacks resulted in increased deaths from care delays.

Experts say the healthcare sector is particularly vulnerable to attacks, partly because of its digital transformation and partly because of its vulnerability to ransomware. Disrupting care can endanger patients’ lives, leaving healthcare organizations feeling compelled to pay ransoms. In 2021 alone, hackers gained access to the data of nearly 50 million people, raising privacy concerns and leaving many vulnerable to fraud.

The HHS office expects 53,000 cases in fiscal year 2022. As of 2020, it had 77 investigators, some of whom have been assigned to other things, such as civil rights violations.

Melanie Fontes Rainer, the Biden administration official who heads the Office of Civil Rights, said her investigators have to pick their fight because they are “under incredibly limited resources and incredibly overworked.”

She views the issue as a funding problem, and the Biden administration has asked Congress to give the agency a budget increase of about 58 percent in fiscal 2023, to $60 million, which could allow it to hire 37 new researchers.

But victim advocates want to be sure that those new hires would rather help them prevent future attacks than punish them for failing to stop previous attacks.

“If OCR is looking for money to protect hospitals… good. That’s HHS’s role — not just to punish the victim,” said Greg Garcia, executive director of the Healthcare and Public Health Sector Coordinating Council, which represents a number of healthcare sectors targeted by the hackers.

For the most part, that’s what the office does, but fines are always a possibility, and Fontes Rainer said more resources will bring more enforcement, encouraging healthcare organizations to meet their obligations under HIPAA. Tim Noonan, a senior official under Fontes Rainer, also expects it to strengthen the agency’s ability to provide guidance and technical assistance.

A budget increase “gives us a stronger hammer,” Fontes Rainer said. “Enforcement…stops the behavior, but is also a deterrent to others.”

In July, HHS imposed its first major fine for violations since President Joe Biden took office, $875,000 to Oklahoma State University’s Center for Health Services. Agency investigators found that the center may not have reported a breach in a timely manner, nor had it taken steps to protect the data.

And Fontes Rainer is pushing for fines to be increased after a legal setback at the end of the Trump administration.

In January 2021, the 5th Circuit Appeals Court overturned a $4.3 million fine that the Office for Civil Rights had assessed at the University of Texas MD Anderson Cancer Center for data breaches. The court called it “arbitrary” and “fickle” and gave ammunition to critics of the agency’s enforcement efforts.

The Trump administration has imposed more than $50 million in fines for violations over four years. But then-director of the Bureau of Civil Rights, Roger Severino, also went on to reduce fines for entities not found in “willful neglect” of the privacy law or who had taken corrective action, saying the agency was misrepresenting the law. had interpreted.

‘A cop on the side of the road’

If HHS were to further withdraw from enforcement, it could lead to more negligence, some experts said.

More than half of the health care industry is “sadly ill-prepared” to protect against cyber threats, said Carter Groome, CEO of First Health Advisory, a health risk management consultancy.

In organizations with few resources, this lack of preparedness is understandable. But it’s not about major health systems.

“We know a CIO in a small rural facility…he’s also in charge of…everything from shoveling snow to making sure the air conditioning is working,” said Tom Leary, vice president of government relations, Healthcare Information and Management Systems. Society. “But if they have sufficient resources and do not fulfill their responsibilities, [enforcement] should definitely be part of the process.”

Leary’s group has found that cybersecurity budgets are often meager.

An intensification of enforcement can encourage healthcare organizations to increase it.

“You see a cop on the side of the road, you slow down. If you don’t, you might not pay much attention to how fast you’re going.” Deven McGraw, head of data stewardship and sharing at biotech company Invitae

Others are more skeptical. “HHS enforcement is ninth on the list of reasons to have a good security program,” said Kirk Nahra, a privacy attorney at law firm WilmerHale, adding that aggressive enforcement could hinder data sharing that the government otherwise attempts to do. to encourage. “Why should I give you access… if there’s a risk that things could go wrong and I could get hammered.”

There are other ways the government can help healthcare organizations improve their cybersecurity. Industry proponents point to two key areas: money for better defense systems and funding for workforce development.

John Riggi, the national cybersecurity and risk advisor at the American Hospital Association, has called for federal support in employee training and grants to help organizations increase their security efforts. And in testimony to CongressErik Decker, chief information security officer at hospital chain Intermountain Healthcare, called on the Centers for Medicare & Medicaid Services to look at developing payment models to “directly fund” cyber programs.

Unlike King and Gallagher, many in the industry said they are encouraged by advances in information sharing. HHS’s Cybersecurity Coordination Center for the health sector has helped, they said, and the public-private 405(d) program and task force have received top marks for its work developing guidelines to help healthcare organizations defend themselves. Congress called for cooperation in Section 405(d) of a law from 2015.

Still, in their letter to Becerra, King and Gallagher said they were concerned that information sharing was not robust enough given the proliferation of cyberattacks. They asked for an urgent briefing from HHS and suggested they would be willing to propose funding and laws that would give the agency new powers to deal with the hackers.