December 18, 2017

How the New Health Care Cyber Risk Plan Impacts both Healthcare and Cybersecurity

The adoption of a new Health Care Cyber Plan developed by HHS prioritizes risk analysis and effective processes to mitigate potential security risks.

In late November, Greg Walden (R-OR), the Chairman on the House of Representatives’ Committee on Energy and Commerce, formally requested the assistance of the Department of Health and Human Services or HHS to develop a plan for healthcare technologies. This request came after an oversight hearing that took a closer look at HHS’s role in healthcare cybersecurity planning and management, and after growing concerns about massive security breaches that occurred through ransomware attacks like NotPetya and WannaCry.

Developing such a plan is indicative of a growing awareness of the cybersecurity risks the health care industry faces today and a concerted effort to prioritize risk analysis and proactive security measures. Walden has requested a response from HHS by December 15th of this year.

What’s Included in the new Health Care Cyber Risk Plan?

The proposed health care cyber risk plan will include a software Bill of Materials or SBOM to encourage greater transparency and enhance vendor risk management to mitigate risk.

The Software Bill of Materials (SBOM) includes a list of all software components in use by health care organizations and hospitals as well as a complete list of all hardware and medical devices. Every piece of medical equipment or technology in use would be documented via an SBOM. All known risks associated with any software component must be listed as well.

Using BOM can help proactively assess security risks and thus mitigate loss and vulnerabilities. Healthcare organizations can use BOM to assess security risks associated with medical devices and other technology equipment that they use and that is connected to their networks and the Internet.

How is this plan different from HIPAA?

HIPAA, or the Health Insurance Portability and Accountability Act of 1996, developed regulations to protect certain health information with a Privacy Rule and a Security Rule. The Privacy Rule establishes national privacy standards that protect certain health information. The Security Rule establishes national security standards to protect health information in electronic form.

The Security Rule is designed to protect individual privacy regarding health information, while still offering covered entities the ability to adopt new technologies for better patient care. It is meant to be flexible and scalable.

Adopting the new Health Care Cyber Risk Plan is expected to expand existing healthcare regulations such as HIPAA’s risk analysis provisions in 45 C.F.R. § 164.308(a)(1). The new plan would affect how information is shared and accessed on healthcare systems, computers, mobile devices, peripherals, medical equipment and by personnel.

Benefits of the new Health Care Cyber Risk Plan

The primary benefits of adopting this new health care cyber risk plan includes:

  • proactive risk assessment and analysis
  • proactive security measures
  • transparency into medical devices, equipment and processes in current use to mitigate risk
  • logs and record keeping
  • improved security consistently from healthcare organizations to hospitals and medical device providers
  • greater understanding of the interactions between medical devices, resident IT systems and operators, thus offering better cybersecurity risk management

Challenges Healthcare Organizations, Hospitals and Medical Device Providers May Face

Adoption of any new cybersecurity protocol and framework requires consistent planning and execution. In addition to meeting requirements through the new cyber plan, organizations will also have to manage risks that come through interaction between equipment, IT systems and people. Assessing and managing these risks effectively requires cybersecurity knowledge and planning that can be beyond the skill sets and capabilities of personnel at these healthcare organizations.

Medical device providers will also need to comply with provisions of HIPAA Security Rules such as ‘Covered Entities’ and ‘Business Associates’ that affect how risk analysis is conducted. Periodically reviewing and improving cybersecurity efforts will also be necessary to meet these requirements.

About the Author

John Huckeby is the managing director of healthcare and life sciences at Tevora.