June 29, 2023 Will New Regulatory Guidance Transform Cybersecurity?

Emerging regulatory guidance on cybersecurity poses unique implications for healthcare organizations.

The US National Institute of Standards and Technology (NIST) is gearing up to release a vastly updated version of their Cybersecurity Framework (CSF) this summer, which will include the biggest changes ever made since the framework was first released in 2014. NIST’s concept paper for CSF 2.0 proposes a new Govern function to the five tenets of the framework—Identify, Protect, Detect, Respond, and Recover. The CSF 2.0 updates come alongside other regulations from CISA and NSA that call on organizations to specifically improve their identity and access management strategy.

However, while all these guidelines provide helpful information, they don’t establish any firm standards, incentives, or accountability. They are just recommendations – take them or leave them. And despite the expansion of the CSF demographic, there are many small public and private organizations that are not equipped with the budget or resources to make the costly changes proposed. While a handful of large healthcare systems have focused effort to develop a comprehensive cybersecurity strategy in recent years, chronically underfunded small and rural healthcare delivery organizations (HDOs) are at even higher risk of cyber attacks that could debilitate healthcare delivery for marginalized communities. Developing and administering a robust cybersecurity program is an expense many cannot currently afford.

Healthcare’s IT Budget Dilemma

NIST’s Cybersecurity Framework has been around since 2013 but it hasn’t led to any significant cybersecurity evolution in healthcare over the last decade. Ironically, the number of cyber attacks have grown in parallel with the amount of regulatory guidance released. Thirty percent of all data breaches occur in hospitals, and the number of healthcare cyber attacks have nearly doubled since 2018. And these attacks are not cheap— in 2022 the average healthcare data breach cost a whopping $10.1 million, according to IBM.

Developing a comprehensive cybersecurity program is a time- and resource-consuming pursuit for HDOs, not made any easier by the exodus of IT talent from the industry. Leaders of small and rural healthcare organizations know that cyber attacks have dire privacy and financial consequences, but when they’re forced to choose between an urgently-needed MRI machine for their patients or a new cybersecurity product, they’ll understandably choose the former. Weighing cybersecurity upgrades and patient care upgrades is a zero-sum game for healthcare organizations already operating at a resource disadvantage.

While the NIST framework updates and other regulatory guidelines hold the potential to influence cybersecurity in healthcare, without federal assistance or incentives to invest, we won’t see many health IT leaders rushing to adopt the protocols while navigating a sea of competing priorities. For the sake and safety of public health, the cybersecurity needs of healthcare must be addressed with legislation.

Mitigating Healthcare Risk with Legislation

The Health Information Technology for Economic and Clinical Health (HITECH) Act, passed in 2009, strengthened HIPAA regulations and incentivized the adoption of health information technology. The act also launched the Meaningful Use program, which provided HDOs with financial incentives to integrate electronic health records (EHRs) into their practices. The funding granted to help speed up the adoption of EHRs was vital. Before the HITECH Act, only 10% of hospitals had incorporated EHRs into their practices and today, at least 95% of hospitals use EHRs.

Meaningful Use allowed healthcare organizations across the country to prioritize upgrading their IT capabilities without sacrificing other budgetary needs. The widespread implementation of EHRs enabled the healthcare industry, at large, to better serve their patients and communities.

While the HITECH Act helped the healthcare industry embrace digitization, it also dramatically expanded the threat surface and led to more security protocols that ultimately slowed down clinicians throughout the care delivery process, which also led to security risks. Research by IBM found that 80% of healthcare cyber attacks exposed patient’s sensitive personal and medical data, and federal records show that 385 million patient records have been exposed between 2010-2022 in healthcare breaches.

These attacks have a dramatic effect on care delivery and patient outcomes: A recent study we conducted at Imprivata found that 32% of HDOs have been forced to divert patients to other healthcare facilities after a cyber attack, and 31% of HDO representatives reported that due to cyber attacks, patient exams and procedures were delayed, resulting in poor patient outcomes. In order for HDOs to abide by today’s regulatory guidance, the healthcare industry needs another initiative that can lead the quick transformation we saw in the Meaningful Use initiative – one that focuses on cybersecurity.

Cybersecurity Meaningful Use

With a ‘Cybersecurity Meaningful Use’ initiative modeled after the original Meaningful Use program, healthcare organizations would be required to meet a set of minimum standards, and would receive federal incentives for meeting each subsequent stage of cybersecurity maturity. These standards would be tailored to the complexity of healthcare’s unique IT environment and workflow, and would take regulatory guidance and identity and access management best practices into consideration.

There are already signs of progress on the horizon. US Senator Mark Warner is a notable proponent for further government legislation on cybersecurity in the healthcare sector, and his recent policy options paper, ‘Cybersecurity is Patient Safety’ offers a comprehensive breakdown of the obstacles and opportunities the government has to shore up the healthcare industry’s risk posture.

While regulatory guidance provides helpful context to consider, the CSF updates alone ultimately won’t actually change much for many of the nation’s most vulnerable healthcare organizations. Real change will come when standards and initiatives are introduced alongside the means needed to achieve them. What’s required now to buoy the cybersecurity postures of small and rural healthcare organizations is a catalyst in the form of a Cyber Meaningful Use program. Legislation like this could revolutionize healthcare’s approach to cybersecurity and finally generate momentum around securing the systems first introduced by the original Meaningful Use initiative. 

This article is sponsored by Imprivata.

About the Author:
Joel Burleson-Davis is the SVP of Worldwide Engineering, Cyber at Imprivata where he’s responsible for building, delivering, and evolving the suite of Imprivata’s cybersecurity products that include Privileged Access Management, Privacy Monitoring, and Identity Governance solutions. Prior to joining Imprivata, Joel was Chief Technical Officer at SecureLink, the leader in critical access management for organizations in need of advanced solutions to secure access to their most valuable assets, including networks, systems, and data.

Subscribe to Industry Today