The healthcare industry has spent many years preparing for and managing cybersecurity concerns. Then came February’s cyber-attack on Change Healthcare, a technology and business solutions provider and subsidiary of UnitedHealth Group, providing access to sensitive patient data. According to a company press release, “Based on initial targeted data sampling to date, the company has found files containing protected health information (PHI) or personally identifiable information (PII), which could cover a substantial proportion of people in America.”
With concerns mounting and in response to the Change Health cyber-attack, Senator Mark Warner (D-VA) introduced the Health Care Cybersecurity Improvement Act of 2024 in late March. Senator Warner’s legislation is pushing for higher levels of cyber security by targeting the restriction of “accelerated payments” in the aftermath of a cyber-attack. If an organization does not already meet minimum cybersecurity standards, it will not be eligible. The aftermath of the Change Health attack has the full attention of many health industry C-suite executives and board members as they determine how to avoid either being the cause or in the wake of an upstream disaster. In reading this new proposed legislation, it is worth noting four discussion points.
Minimum cybersecurity standards
The legislation mentions that “such hospital meets minimum cybersecurity standards as determined by the Secretary.” I am curious to hear what these standards will be. Most of the in-scope organizations, such as Medicare Part A providers and Part B suppliers (including physicians, nonphysician practitioners, durable medical equipment suppliers, and others who furnish outpatient services), are regulated by HIPAA, but how often are they audited on any security framework other than HIPAA? Perhaps the Secretary will push for a broader and stricter security framework like NIST 800-53, a range of guidelines developed to help federal agencies meet the requirements of the Federal Information Security Modernization Act (FISMA). Either way, many health organizations are ill-prepared and will take months to establish technologies and procedures to be fully compliant with these strict frameworks.
Ripple effects
With the possible approval and rollout of this legislation, there will be a very interested industry watching from the sidelines: cyber insurance carriers. This industry has a broad range of standards by which they assess an organization’s cyber risk. If the federal government steps in to require (or heavily incentivize) organizations to comply, I believe the chosen “minimum cybersecurity standards” will start to become the new measuring stick for cyber insurance assessments. Once adopted, this standardization will flow out into other, non-health-related fields as a way for cyber insurance organizations to fine-tune their actuarial calculations.
Third Party Risk Management
Although third-party risk management (TPRM) is one of the main pillars of all cyber security frameworks, it is rarely managed effectively. Organizations often struggle to truly measure, understand, and make critical decisions on the risks of upstream and downstream partners. Like the Colonial Pipeline attack, a ransomware attack in May 2021 disrupted critical supplies of gasoline and other refined products throughout the East Coast. Few organizations recognize the impact of a major attack on an organization that is 2-3 layers ahead of theirs. This new legislation makes a very interesting call to action that requires the organization and its vendors to meet minimum cybersecurity standards. If successful, this will drive some intriguing conversations between vendors, holding each other far more accountable than in the past. There may very well be a race to compliance for several organizations. Some larger organizations may struggle to implement strict policies simply due to the size of their organization and the amount of custom development.
Rush to purchase
I am concerned that organizations will run a quick gap analysis and remediate gaps with a quick purchase of software as a service (e.g., endpoint protection, Microsoft 365, asset management, etc.) and immediately move to an audit, claiming they are fully compliant. There is a current epidemic of organizations selling a software-as-a Service model that will require little to no labor and experience to manage. The reality is that although services are fully functional, the majority require very specific configurations to ensure they provide the highest levels of cyber security. This is often left out of the sales cycle, leaving organizations thinking they are buying into a “security by default” model.
I will be watching this legislation, and any revisions that may come through. Overall, despite some challenges ahead, this is a major step in the right direction.
Connect with Dennis on LinkedIn: Dennis DeWolf, CISSP | LinkedIn
Dennis DeWolf is the Senior Manager for Cybersecurity and Technical Operations at CREO, leveraging over two decades of comprehensive experience in the fields of cybersecurity and infrastructure management. His proficiency extends across various domains, encompassing defensive cybersecurity, compliance, risk management, security operations, technical architecture, custom development, project management, server operations, application administration, quality assurance, network operations, database administration, storage management, Configuration Management Database (CMDB), and cloud management. Throughout his career, Dennis has consistently applied data analysis techniques to inform critical tactical and strategic decision-making. Learn more: Dennis DeWolf – CREO Consulting
