Here at Advisory Board, we've built an extensive cybersecurity resource library highlighting best practices in how to respond to increasing cyber-threats, but we also value having a fresh, external perspective. To learn more about how health care organizations can respond to the rise in cyber-threats, we reached out to Bob Chaput for a virtual Q&A.
Chaput is the founder and executive chair of the Board of Clearwater Compliance, a provider of health care compliance and cyber risk management solutions.
As a leading authority and expert witness on HIPAA compliance and enterprise cyber risk management, Chaput has assisted hundreds of health care organizations and their business partners, including Fortune 100 organizations, improve their risk posture. Chaput is also the author of the recently published book, "Stop the Cyber Bleeding: What Healthcare Executives and Board Members Must Know About Enterprise Cyber Risk Management."
Question: As with any technology, many of our members continue to debate the benefits and drawbacks of outsourcing their cybersecurity capabilities. What would you say are the key considerations to make when deciding whether or not to engage a third party in your cyber risk management efforts?
Bob Chaput: When I think about critical considerations for any outsourcing decision, I recommend organizations think about the work for which outsourcing is considered vis-à-vis a classic 2x2 matrix. On the vertical axis, determine whether the work is a "necessary cost" to the organization versus actual "value-added" work.
On the horizontal axis, determine whether the work is "proprietary" to the organization versus "generic" work that others can perform and often specialize in doing so more effectively and more efficiently. In my experience, when the work falls into the "necessary cost-generic" cell, it is typically a good decision to outsource this work to experts. Even when work falls into the "value added-generic" cell, consider outsourcing it.
Cyber risk management work is usually a necessary cost for health care organizations and not value-added to their core vision, mission, strategy, values, and services.
There is nothing proprietary about ECRM work. Therefore, I would suggest organizations retain their governance and engagement responsibilities but consider outsourcing people, processes, and technology to the maximum extent possible.
Q: There has been an ongoing effort to empower patients to "own" their own health data, and we've also seen the rise in data mobility, such as with the Apple Health Records feature on iPhones. As data ownership continues to shift toward consumers, how do we reevaluate matters of accountability in the instance of a breach? Will consumers/patients start to bear a greater burden of responsibility for keeping health data secure?
Chaput: The subject of ownership of patient data could be the basis of a multi-day symposium, which is well beyond the scope of this blog post. Yes, patients have explicit rights to access and receive copies of their medical records. Ownership is a highly debated subject that varies by state, crosses into intellectual property rights and other legal principles.
What happens when hackers target your hospital? Sky Lakes Medical Center and Asante are sharing their biggest lessons learned.
To the matter of accountability in the instance of a breach, putting numerous and various state laws aside, from a HIPAA perspective, accountability is unambiguous. The Breach Notification Rule spells out responsibilities for both covered entities and business associates.
As the name suggests, the Breach Notification Rule is about reporting in the event of "the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E [HIPAA Privacy Rule] of this part which compromises the security or privacy of the protected health information."
The Privacy Rule and Security Rule specify that covered entities and business associates have full accountability for assuring the confidentiality, integrity, and availability of Protected Health Information. Consumers and patients will not bear a more significant burden of responsibility where their Protected Health Information is created, received, maintained, or transmitted by their health care providers and their vendors.
At the same time, most of us use a growing number of health-related applications not offered by our health care provider or their vendors. These include personal health record applications, fitness apps, direct-to-consumer genetic testing websites, Bluetooth-enabled heart monitors, etc.
It's clear that a growing amount of individually identifiable health information is slipping through the "HIPAA cracks." For these solutions and applications, yes, consumers/patients must start to bear a more significant burden of responsibility. Think buyer beware!
Q: If the health care industry stays on its current path of under-investing in cyber risk management, where do you see the industry in five years? How long can the industry sustain this reactive, "whack-a-mole" response to ransomware attacks and other breaches?
Chaput: The health care industry has evolved its treatment of cyber risk management from a compliance issue, to a security issue, to a growing concern over patient safety at a plodding pace. The blogosphere lit up in September 2020 with storylines indicating that a German patient died for the first time due to a ransomware attack.
Allegedly, the patient died due to the patient being diverted to another emergency department 19 miles away, delaying care by an hour due to the cyber-attack. Police launched a "negligent homicide" investigation. Subsequently, the chief public prosecutor concluded there were insufficient grounds to pursue the case. In this instance, the prosecutor could not prove legal causation.
Cyber risk management can be a life-or-death matter. Within the next five years, if not sooner, I believe we will see plaintiffs' attorneys win successful medical professional liability and hospital professional liability lawsuits based on cyber-attacks.
Too many health care organizations are negligent in their treatment of cyber risks. I believe harm, if not death, will occur, and plaintiff attorneys will prove negligence and legal causation. These cases may result in derivative lawsuits against responsible C-suite executives and board members for failure to exercise an appropriate duty of care related to cyber risk management.
When we enter this era of cyber-driven liability lawsuits, the health care industry will move out of the reactive "whack-a-mole" approach and adopt a more proactive ECRM posture.
Q: When you think about the current state of health care cybersecurity, what keeps you up at night?
Chaput: Several things. My primary concern is the lack of appropriate C-suite and board engagement. It's time for the C-suite and board to step up, set the tone, adopt core ECRM principles, and provide resources, leadership, and oversight to make ECRM a transformational program in their organization.
Secondarily, too many health care organizations have defaulted to a tactical, technical, and spot-welding approach to cybersecurity. "Whack-a-mole" or "threat-du-jour" cybersecurity is not based on a comprehensive understanding of the organization's unique risks.
Too often, even when there is a fraction of planning, I see one-size-fits-all controls checklists driving the cybersecurity plan. What we need is a more business, strategic, and architectural approach to cybersecurity. An enterprise-wide, comprehensive risk analysis that considers the organization's unique vision, mission, strategy, values, and services should drive the cybersecurity plan.
Finally, I am concerned about the lack of an appropriate number of security professionals in health care and, for that matter, in all industries, many of which comprise health care's supply chain.
I am also concerned about the greater emphasis on cybersecurity engineering and operations jobs rather than risk analyst and risk management jobs. It suggests we're dealing with an engineering issue; we need a much greater risk management emphasis.
Q: When you think about the current state of health care cybersecurity, what gives you hope?
Chaput: I am most hopeful about the people working in privacy, security, compliance, and risk management. These thousands of hardworking professionals are committed to making it right and will eventually garner the attention and support of the C-suite and board.
The C-suite and board simply need to understand and fulfill their fiduciary responsibility and duty of care in this matter. It is happening in progressive organizations already, and it will continue to happen.
The second trend that gives me hope is the widespread adoption of the so-called NIST Cybersecurity Framework. In my book, I cover the importance and value of following the approach developed by NIST, and I believe it is the best, most comprehensive risk-based approach to ECRM.
And, good news, it is widely adopted across the health care ecosystem already. And, even better news: it is free! Other reasons for adopting the NIST approach include:
- Leveraging current standards, guidelines, and best practices from several internationally recognized sources
- Tight alignment with HIPAA requirements
- Endorsement by health care-industry heavyweights, including the Health care Information Management and Systems Society (HIMSS)
- Establishment of the NIST Cybersecurity Framework as the standard for the U.S. government
- Its emergence as a national standard across industries
I'm excited about this widespread adoption of an open, non-proprietary, industry-standard, and consistent approach. It will facilitate significantly better communication about cyber risk management internally, between health care organizations, and up and down the health care supply chain, where seemingly unrelated downstream attacks have disrupted patient care.