“They are fish out of water … They were given an executive role under HIPAA but weren’t given the resources to support that role,” said the health care organization. Security.
Due to its limited budget, the Civil Rights Department has fewer investigators than many local police forces, and investigators must handle more than 100 cases at a time. His 2022 budget for this office was $38 million. This costs him about 20 MRI machines that cost between $1 million and $3 million per session.
Another problem is the firm’s reliance on the cooperation of victims, agencies targeted by hackers, to provide evidence of a crime. These victims may be hesitant to report breaches due to the potential fines imposed on top of the costs resulting from the breach and the ransom money hackers often demand.
Depending on the situation, it may even appear to blame the victim. Especially since hackers may be funded or directed by foreign governments. And the question arose as to whether the U.S. government should do more to protect medical institutions.
Sen. Angus King (from Maine) and Rep. Mike Gallagher (R-Wisconsin), former co-chairs of the cybersecurity committee that investigated the danger, told HHS Secretary Xavier Becerra on Aug. In a letter addressed to him, he said: It questions the government’s failure to “reliably and timely share actionable threat information with industry partners.”
The scope of threats is vast and the consequences of breaches are severe. According to his 2021 survey by the Healthcare Information and Management Systems Society, more than two-thirds of him in healthcare organizations experienced a “significant” incident (mostly phishing or ransomware attacks) in the previous year.
These episodes can have significant economic impact and can be life-threatening for patients. A recent report from cybersecurity company Cynerio and the Ponemon Institute, a cybersecurity research center, found that about a quarter of cyberattacks increased mortality due to delayed treatment.
Experts say the healthcare sector is particularly vulnerable to attacks, partly because of digital transformation and partly because of its vulnerability to ransomware. Interrupting treatment could put the patient’s life at risk, and the healthcare provider may feel held for ransom. In 2021 alone, hackers accessed her records of nearly 50 million people, raising privacy concerns and making many more vulnerable to fraud.
The HHS office expects 53,000 cases in fiscal 2022. As of 2020, there are 77 investigators, some of whom are assigned to other jobs such as civil rights violations.
Melanie Fontes-Rayner, the Biden administration official who runs the Office of Civil Rights, said her investigators were “under incredible resource constraints and incredibly overworked.” , said they must pick their battles.
She sees the issue as one of fundraising, and the Biden administration has asked Congress to increase the budget by about 58% to $60 million in fiscal 2023.
But advocates for victims want to make sure new employers prefer to help prevent future attacks rather than punishing them for failing to stop past attacks.
“If OCR is looking for funds to protect hospitals, that’s good. said Greg Garcia, executive director of the Health Care and Public Health Sector Coordinating Council, which represents many sectors within health care.
Most of the time, that’s what offices do, but fines are always possible, Fontes Rainer said, adding that more resources lead to more enforcement, encouraging healthcare organizations to meet their obligations under HIPAA. Tim Noonan, a senior official under Fontes Rainer, also hopes the agency’s capacity to provide guidance and technical assistance will be strengthened.
Fontes Rainer said the increased budget “will give it a stronger hammer”.
In July, HHS imposed the first major fine for a data breach since President Joe Biden took office, imposing $875,000 on Oklahoma State University’s Health Services Center. Authorities’ investigators found that the center may not have reported the breach in a timely manner, nor had it taken steps to protect the data.
And Fontes Rayner is pressing for higher fines following legal setbacks at the end of the Trump administration.
In January 2021, the Fifth Circuit Court of Appeals fined $4.3 million for the Civil Rights Office’s assessment of the University of Texas MD Anderson Cancer Center for data breaches. The court called it “arbitrary” and “capricious,” giving ammunition to critics of the office’s enforcement efforts.
The Trump administration has imposed more than $50 million in fines related to infringements over four years. But then-Director Roger Severino of the Office of Civil Rights called for reduced fines for organizations that did not “willfully ignore” the privacy law or take corrective action, accusing the agency of misunderstanding the law. Stated. .
Some experts said further HHS restraint could lead to more negligence.
Carter Groome, CEO of First Health Advisory, a healthcare risk management consulting firm, says more than half of the healthcare industry is “extremely ill-prepared” to protect against cyberthreats.
In organizations with few resources, underpreparedness is understandable. But it’s not a large healthcare system.
“I know small rural facilities have CIOs. He also does everything from snow removal to making sure air conditioning is working,” said vice president of government affairs at the Healthcare Information and Management Systems Society. One Tom Leary said: “But if you have enough resources and you don’t meet your responsibilities, [enforcement] Absolutely must be part of the process. “
Leary’s group found that cybersecurity budgets are often scarce.
Enhanced enforcement may prompt healthcare providers to increase them.
Others are more skeptical. “HHS enforcement is close to ninth on the list of reasons to have a good security program,” said Kirk Nahra, a privacy attorney at law firm WilmerHale, who said aggressive enforcement is one of the ways governments try to encourage. It added that it could hinder data sharing. “Why would I give you access…if it could go wrong and I could get hit.”
There are other ways governments can help improve cybersecurity in healthcare organizations. Industry proponents point to his two key areas: cash to improve defensive systems and funds for workforce development.
American Hospital Association National Advisor for Cybersecurity and Risk, John Riggi, Seeks Federal Support for Worker Training and Subsidies to Help Organizations Increase Security Efforts . Also in congressional testimony, Erik Decker, chief information security officer at his Intermountain Healthcare hospital chain, told the Centers for Medicare & Medicaid Services that a payment model to “directly fund” cyber programs I asked for development to be considered.
In contrast to King and Gallagher, many in the industry say they are encouraged by the progress in sharing information. Assisted by HHS’ Health Sector Cybersecurity Coordination Center, public-private 405(d) programs and task groups are acclaimed for their work in developing guidelines to help healthcare organizations protect themselves.Congress Asked for Cooperation on Section 405(d) Law of 2015.
Still, King and Gallagher said in a letter to Becerra that they were concerned that information sharing was not robust enough given the rise in cyberattacks. He indicated that he was willing to seek, fund and propose legislation that would extend HHS with new powers to deal with hackers.