Readers Write: The Uncomfortable Truth About Healthcare Data

The Uncomfortable Truth About Healthcare Data
By Mike Green

Mike Green, MBA is chief information security officer of Availity.

Cyberattacks have become an all-too-common occurrence, with no industry immune from their effects. In healthcare, the stakes have reached unprecedented levels, with the FBI recently identifying the sector as the top ransomware target.

Consider that in 2023, healthcare data breaches that impacted 500 or more records were reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) at a rate of 1.99 per day. The results of that equate to a whopping 364,571 healthcare record breaches every day and 133 million records exposed or impermissibly disclosed in 2023 alone.

Data like this, combined with lessons learned from previous cyberattacks, reveal the uncomfortable truth that healthcare data is increasingly vulnerable. Hardware, software, and the information that runs through it are more interconnected than ever. The vital nature of healthcare’s digital infrastructure, combined with increased cyber threats, magnify the vulnerability of this connectedness further.

Reflect on this year’s example in which a major clearinghouse experienced one of the worst cyberattacks in the history of the US healthcare sector, affecting up to one-third of the U.S. population. What makes this incident stand out is the company’s crucial role as a healthcare clearinghouse.

As digital super-highways, healthcare clearinghouses connect the healthcare ecosystem, routing billions of electronic transactions between health plans and providers and streamlining administrative processes that are associated with claims, prior authorizations, and provider payments. Yet today, under HIPAA, the closest thing to an information security standard is a catch-all “reasonable efforts” expectation. Such a standard, or lack thereof, was wholly inadequate to protect hundreds of thousands of providers and millions of patients across the interconnected healthcare landscape from this unprecedented cyberattack.

Members of Congress have caught on, announcing the proposed Health Infrastructure Security and Accountability Act in late September, which aims to direct HHS to craft a new set of minimum cybersecurity standards for healthcare providers, health plans, clearinghouses, and business associates. As calls for change such as this highlight, to truly improve cybersecurity across the US healthcare system and prevent this from happening again, the industry—and clearinghouses in particular—must do more to safeguard and swiftly recover with minimal disruptions.

The following best practices can help bolster cybersecurity posture and speed recovery time for healthcare organizations that are impacted by attacks.

• There is a pressing need to establish mandatory cybersecurity standards for all clearinghouses. The days of “please see attached HITRUST certification” are gone. That is simply not enough, and the false sense of security provided by these certifications is dangerous. These standards should be updated regularly to address evolving threats. Clearinghouses should be required to disclose the scope of their information security programs and demonstrate compliance with highly specific security standards, such as the US Defense Information Systems Agency Provisional Authorization Impact Level 2 (DISA IL2), which maintains cloud computing security requirements and the National Institute of Standards and Technology SP 800-171, a standard for safeguarding sensitive information on federal contractors’ IT systems and networks.
• Clearinghouses should also comply with SOC-2, a security framework that was developed by the American Institute of Certified Public Accountants (AICPA). SOC-2 specifies how organizations should protect customer data from unauthorized access and is built around five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. Not all healthcare organizations comply with SOC-2 criteria. Clearinghouses should be required to fully implement these cybersecurity standards, adjusting criteria over time to keep pace with evolving threats.
• It is crucial to implement stringent disaster recovery and business continuity standards. These standards should include annual reviews by boards of directors and mock cyberattack exercises to ensure preparedness. Clearinghouses must demonstrate the capability to recover from disruptions swiftly, with recovery times measured in hours and days, not weeks and months. Moreover, Recovery Time Objectives and Recovery Point Objectives should be shared with clients annually, with these metrics audited by credible third parties.
• Streamlining the administrative processes for providers is also essential. Simplifying and standardizing the enrollment process for electronic data interchange (EDI) with Medicare and Medicaid will reduce redundant requirements and enhance efficiency. Establishing a unified, automated EDI enrollment system across all Medicaid and Medicare programs will further ease the administrative burden on healthcare providers, saving time and money while ensuring the ability to run practices through a disruption of service to the primary clearinghouse.

While there’s no one-size-fits-all solution to addressing cyber threats in healthcare, the establishment of such clear standards and accountability measures can help better ensure the resiliency and security of the entire digital infrastructure. Strengthened cybersecurity practices can also instill confidence in the integrity of the healthcare ecosystem, which connects patients, providers, payers, and other stakeholders alike.