USC Gould Search

Health Industry Cybersecurity Practices
USC Gould School of Law

Wednesday, August 26, 2020

Typing on a laptop.

Cybersecurity represents a huge area of concern in the health care industry. Breaches place a significant burden on the sector, as evidenced by a recent report from the Ponemon Institute and IBM Security. According to this study, the average health care breach costs the affected organization $6.45 million, with health care companies losing an average of $429 per stolen record.

A health care cybersecurity breach means that patient data has in some way been compromised; safeguards have been bypassed or accidentally undone, and data has been accessed in an unauthorized way. Top costs from health care breaches primarily relate to legal and regulatory issues, although they also account for reputational damage that results in lost business.

What kinds of issues can crop up following a breach?

Patients whose data has been breached may consider litigating against organization that has experienced the hack.

HIPPA violations resulting from the breach can lead to law enforcement action.

Regulatory concerns may arise, as organizations must report the breach in a timely manner and include certain details of the event.

Already, several companies have suffered damage great enough to prompt financial calamity. For example, the American Medical Collection Agency’s parent company filed for chapter 11 bankruptcy following an attack that impacted over 25 million victims across 18 providers.

Given the prevalence and high cost of cyberattacks, health care organizations work to enact strict protocol to limit the potential for future breaches. This remains a clear area of weakness for many providers, some of which still struggle to maintain full compliance with the Health Insurance Portability and Accountability Act (HIPAA).

In failing to provide a baseline of security, organizations place the health, safety and privacy of their patients at risk. These companies are more likely to struggle in their attempts to combat newer, more sophisticated threats. Thankfully, numerous resources exist for expanding security practices and limiting the potential for future attacks.

Top Cybersecurity Threats in the Health Care Sector

The Department of Health and Human Services identifies the following as the most prevalent and alarming cybersecurity threats in the health care industry:

  • Email phishing attacks
  • Ransomware attacks
  • Data or equipment theft
  • Intentional or accidental data loss
  • Attacks involving connected devices

While all of these threats warrant concern, attacks on devices are most alarming. These incidents place patients in grave danger and could prove deadly if not prevented or swiftly mitigated. MRI machines and CT scanners, for example, could be compromised.

This isn’t purely a matter of speculation; a 2018 Symantec report highlighted a targeted campaign against the health care sector. Symantec detected Kwampirs malware installed on a variety of high-tech imaging devices.

Likewise, researchers from Ben-Gurion University of the Negev discovered that malicious parties can harm patients by hacking the technology behind CT scans and dramatically increasing radiation levels.

Whether attacks involve devices, email accounts or other areas of vulnerability, they place both patients and employees at considerable risk. Medical providers must address these concerns promptly to provide the comprehensive protection those under their care deserve.

Strategies for Mitigating Cyber Threats in the Health Care Sector

HHS recommends a proactive approach to handling cybersecurity concerns. In addition to outlining top threats, the department has released multiple technical volumes that address key practices for preventing breaches. Separate resources are provided for small and large health care organizations, although significant overlap exists regarding recommended practices.

Top measures highlighted by HHS include:

  • Avoiding free or consumer email services
  • Installing antivirus software solutions
  • Establishing cybersecurity training programs for health care workers
  • Limiting user access based on each employee’s role within the organization
  • Configuring automatic patching for vulnerable endpoints
  • Installing encryption software at all endpoints that connect with electronic health records
  • Using IT asset management (ITAM) to maintain cyber hygiene
  • Configuring networks to limit access between devices
  • Conducting vulnerability scans to determine key areas of weakness

These and other practices do not aim to reinvent the wheel. Rather, they reflect guidance already provided within the National Institute of Standards and Technology (NIST) Cybersecurity Framework. They also draw upon requirements from HIPAA, with which health care providers should already be compliant.

How Health Care Law Influences Cybersecurity

While the practices identified by HHS can provide valuable protection for vulnerable organizations, they are far from easy to implement. In the interest of maintaining full compliance, health care companies may look to legal resources for assistance.

While compliance-oriented legal practices were once primarily called upon to assist with issues involving HIPAA, HHS guidelines play an increasingly significant role in their work with medical providers.

Many companies already utilize most of the measures identified in the aforementioned technical volumes. Detail-oriented lawyers can assist these organizations in finding gaps between existing cybersecurity protocol and those identified by the HHS.

If identified discrepancies are deemed capable of causing legal issues in the event of a breach, attorneys can assist providers in planning for and implementing best practices for cybersecurity.

Cybersecurity may feel like a constant game of catch-up in the modern digital environment, but full patient protection is not the pipe dream that frustrated industry leaders assume. If cybersecurity best practices are carefully implemented under the supervision of a legal representative, health care providers can avoid future attacks and associated courtroom issues. More importantly, their efforts to secure networks could make all the difference for vulnerable patients.

Looking to take on new challenges in an in-demand legal niche such as health care compliance? USC Gould School of Law offers a Health Care Compliance Certificate online, providing valuable training aimed at addressing today’s most urgent issues.




S. Department of Health & Human Services: Health Industry Cybersecurity Practices

S. Department of Health & Human Services: Cybersecurity Practices for Small Health Care Organizations

S. Department of Health & Human Services: Cybersecurity Practices for Medium and Large Health Care Organizations