A New Approach to an Old Problem
Resistance to yet another government regulation, a lack of understanding the complexities of the rules, and an overall unwillingness to take on yet another area of expertise in an ever-changing technical landscape can make the sale of HIPAA compliance a tough one.
Gone are the days of using Meaningful Use as an incentive for HIPAA compliance.
MACRA / MIPS has not filled the gap.
Even though a HIPAA Security Risk Assessment is required for MACRA – Promoting Interoperability (PI), the financial incentives don’t appear to be driving the decision to continue pursuing or purchasing HIPAA compliance.
The lack of widespread OCR enforcement – aside from the fear of large penalties, is another reason many healthcare organizations and their business associates have dragged their feet when it comes to HIPAA compliance.
MSPs, law firms, and healthcare consulting companies all recognize the need to protect PHI but many times their words of warning fall on deaf (or busy) ears.
While the HIPAA message doesn’t ring as loud as it used to, a new dynamic has overcome the healthcare sector, and we need to pay attention. Cybercriminals have realized that healthcare is an easy target with a big payoff. Technological advances in the way we address medical care have resulted in an overwhelming amount of electronic data – in both results, reports, and general patient information. Medical equipment is continually evolving and providing the world with cutting edge methods – and that data is stored electronically. The need to link that data to a patient can mean finding a quick fix solution that may overlook addressing HIPAA in the process. This leaves countless files in danger of a breach if not protected properly.
In addition to ignoring HIPAA regulations for the sheer convenience of doing things “the easy way”, healthcare organizations historically spend less on security measures, including employee awareness training. Healthcare organizations often see high turnover rates, meaning even if an organization does train their employees (which generally occurs only once a year, if that), incoming employee training tends to get overlooked.
Cybercriminals now know this is an easy target. Meaningful Use has successfully transformed a paper-based industry into electronic health records. Unfortunately, cybersecurity defenses have remained stuck in the last decade.
While Russian hackers have argued over the ethical merits of targeting healthcare, some have admitted that “hospitals make too easy of a target to ignore”.
Hundreds of million patient records have already been breached, ransomware has paralyzed many healthcare organizations, and business email compromise attacks continue to victimize medical practices, hospitals, and the organizations that support them.
A New Approach
While many Healthcare organizations do take HIPAA seriously and do their best to protect PHI, the vast majority will continue to ignore government regulations and believe that compliance is something that only larger organizations need to worry about. MSPs will continue to be met with lukewarm reception to a HIPAA compliance message.
However, 10 years after the HITECH Act, it is time to change the message to healthcare clients and prospects, which in turn, could change the landscape altogether.
We need to stop pitching HIPAA compliance and start focusing on a strong cybersecurity message. The real threat to healthcare organizations is not the government with their fines and regulations, but cybercriminals that have realized the healthcare sector is where they need to focus.
MSPs need to show healthcare organizations that ransomware is one of their biggest threats, that hackers are focusing on healthcare, and that medical practices and their employees are ill-prepared to defend against them.
Using examples of hospitals that have been paralyzed by ransomware or pointing to events like the Baltimore or Greenville city shutdowns only reinforce the message that it’s just large organizations that cybercriminals are targeting and victimizing.
Instead, we need to use examples of medical practices and other small/midsize healthcare organizations that are relatable to our clients. Explain how a Michigan ENT & Hearing practice was a ransomware victim, and that cybercriminals deleted all of their data after they refused to pay the ransom – including any trace of their patients’ medical records. They were out of business before you can say backup.
A New Plan for an Existing Problem
Bang the ransomware drum as loud as you can. Point out that most ransomware attacks start with phishing emails. Point out that employees are the weakest link in an organization’s cyber defense and that most data breaches are caused by employee mistakes.
The new message to healthcare organizations needs to be focused on cybersecurity. Simulated phishing, ongoing security awareness training, and Dark web monitoring all need to be put in place to defend against phishing and ransomware.
Email security, password security, multi-factor authentication, and disaster recovery all need to be implemented to harden an organization’s defenses and allow them to recover in the event of a cyber disaster.
All healthcare organizations need cyber insurance that covers ransomware, data breaches, business email compromise, social engineering, data recovery expenses, and regulatory fines.
Cyber insurance should provide both financial resources and vetted vendors to help with data breach forensics, breach coaching, breach notification, public relations, identity monitoring, and other breach-related expenses.
Many MSPs are not prepared to help their clients in the event of a data breach. They need vetted and accredited vendors to help with forensics, lawyers to help with breach counseling, and professions that specialize in handling data and HIPAA breaches. The time to ensure these vendors and resources are in place is before a data breach occurs – not after. Cyber insurance is an excellent way to do this.
Now is the time to move away from HIPAA compliance messaging and reinforce a cybersecurity message. We must educate clients and prospects. The healthcare industry needs to fortify its cybersecurity requirements. Managed services are needed to maintain their networks, and cyber insurance is needed to maintain their business. HHS has recently released cybersecurity guidelines that echo this message.
This is a huge opportunity for MSPs, but it will take a different approach, and a focus on education and awareness that spotlight the real risks to healthcare.