The Department of Health and Human Services (HHS) will soon launch a healthcare focused cybersecurity initiative modeled on the Homeland Security Department’s National Cybersecurity and Communications Integration Center (NCCIC). Christopher Wlaschin, Chief Information Security Officer at HHS, announced this development at the 2017 ACT-IAC Health IT-Mobile Forum on April 20. According to Wlaschin, the new center, to be called the Health Cybersecurity and Communications Integration Center (HCCIC) would seek to reduce the extensive “noise” in the health care industry about cyber threats and to analyze and “deliver best practices and the two or three things that a small provider, a small office, a doc in a box can do to protect his patient’s privacy and information security around those systems.” HHS also envisions the HCCIC working with developers of mobile health apps to promote data security best practices in that fast-growing area.
The NCCIC works to develop understanding of cybersecurity threats among a broad array of public and private sector entities, and to assist those stakeholders in information sharing and advancing best practices with respect to threats and mitigation. Similarly, Wlaschin told attendees at the forum that HHS has given grants to the National Health Information Sharing and Analysis Center to “encourage broad participation” in the HHCIC project. According to Wlaschin, HHS anticipates the HCCIC reaching initial operating capability in late June.
The HCCIC may shortly be joined by a separate cybersecurity initiative specific to the Centers for Medicare & Medicaid Services (CMS). According to Mark Scrimshire, who helped pioneer CMS’ successful Blue Button Initiative through which over a million Medicare beneficiaries have downloaded their CMS information, his group has “written an application programming interface that would let health application developers verify their security with a trusted source.”
The establishment of a healthcare-specific cybersecurity clearinghouse comes in the wake of increasing concern about cybersecurity vulnerabilities in the health sector. According to the Ponemon Institute’s Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data, released in May 2016, fully 89% of HIPAA-covered entities had suffered a data breach involving the loss or theft of patient data in the previous 24 months. Additionally, throughout 2016, a slew of ransomware attacks on hospitals prompted large payouts and potentially put patients at risk. According to a July 2016 report, 88% of ransomware attacks targeted the healthcare industry. In December, the Food & Drug Administration responded to the “growing number of medical devices designed to be networked to facilitate patient care” by issuing guidance addressing the management and reporting of post-market cybersecurity vulnerabilities in medical devices. Fortunately, industry actors seem to be getting the message: According to the Ponemon study, the percentage of HIPAA-covered entities satisfied with the effectiveness of their practices, personnel, technologies, and resources at preventing or quickly detecting unauthorized patient data access, loss, or theft jumped by 4 to 5% from 2015 to 2016. However, there is little doubt that the healthcare sector remains a prime target for hackers.
Moreover, a new front has emerged in the health care sector’s war against cybersecurity vulnerabilities, with the explosion of mobile health applications in recent years. In 2016 the number of mobile health apps in app stores hit approximately 259,000. And the market continues to grow at a rapid clip. According to an early 2016 report by Juniper Research, the number of individuals utilizing mobile health tools is expected to climb above 150 million by 2020. Unsurprisingly, there are concerns that cybersecurity is not keeping pace. A 2016 survey of 550 healthcare IT decision-makers worldwide revealed that the two most common concerns about mobile device management were security (83%) and data privacy (77%). Further, 27% of respondents expressed a lack of confidence in their mobile device management solution.
The federal government has been moving to contend with cybersecurity concerns in mobile health apps. The FDA’s December guidance represents a step towards regulating mobile health apps. Likewise, the HHS Office of Civil Rights and Federal Trade Commission have both developed online resources to educate app developers on their responsibilities under HIPAA and other data security laws.
With the growing proliferation of mobile health apps adding to existing concerns such as ransomware, it is not surprising that HHS is investing in new resources like the HHCIC. And other cybersecurity-related initiatives may be on the way in the healthcare regulatory field. On May 3, HHS’ Health Care Industry Cybersecurity Task Force released its draft report to Capitol Hill. The report includes recommendations to create a medical-device specific “MedCERT” modeled after the United States Computer Emergency Readiness Team, which “would assess vulnerabilities, evaluate patient safety risks, adjudicate between the vulnerability finder and product manufacturer, and consult organizations about how to navigate the vulnerability process.” The report also calls for changes to the Stark Law and Anti-Kickback Statute to enable health care organizations to assist physicians in implementing cybersecurity software. Whether the political environment will be conducive to major initiatives, however, remains unclear, even on an issue like cybersecurity, which has relatively bipartisan support.