Careers Contact Us Portal
Careers Contact Us Portal
Careers Contact Us Portal

The Changing Landscape of Cybersecurity Accountability in Healthcare

The Changing Landscape of Cybersecurity Accountability in Healthcare

During the last ten years, 489 million patient records have been compromised at an average cost of $9.48 million per breach, with each incident posing a significant risk to patient privacy. This has increased cybersecurity-related lawsuits, and more CISOs and other C-suite (CIO, CEO, CFO, etc.) members are starting to be held legally accountable for not deploying appropriate security measures.

During our recent webinar discussion, CloudWave’s Director of Product Management, Kelli Watson, and Principal Cybersecurity Advisor Guy McAllister outlined some elements that CISOs and the C-suite can focus on to reduce liability while increasing defensibility in the event of a cyberattack.

 

The Changing Liability Landscape

Cybersecurity threats, including ransomware, phishing attacks, and data breaches, expose sensitive patient information and are becoming more severe and prevalent. When asked who is responsible for handling cyberattacks and the incident response following it, about 90% of hospital organizations said that IT owns it. Part of the reason for this is that people often think about the electronic systems attacked—IT’s domain. However, the priority they should focus on is patient safety, which is everyone’s responsibility.

Incident response must become more patient-centric, shifting the thinking toward how the cyber event will impact patients and how to prioritize them. This requires a more holistic and people-focused approach over traditional methods, regulations, and frameworks, which primarily focus on data.

A multi-departmental approach helps address the gap between prioritizing patient impacts versus the data in an attack response. One area that is evolving to address this is tabletop simulations that test a team’s response to an attack in a real-world simulation. Tabletops that expand beyond the traditional IT focus to include executive and clinical teams are becoming more common. This type of exercise gives a broad organizational view for everyone involved to better understand the widespread impact of a cyber event and their unique role in a response, including what happens during prolonged periods of downtime.

 

Addressing Legal Action

Vanderbilt University released a study after examining significant cyberattacks in the healthcare space. It found that patient mortality increases during any type of significant cybersecurity event. Patient safety is impacted not due to critical systems being offline or medical devices being compromised but because caregivers became distracted while worrying about the attack. Care teams became less focused on caring for the patient due to an emotional response and sometimes had lower trust in the systems once they were back online.

Lawsuits are increasing as a result of this. A 2019 lawsuit in Alabama alleged that a hospital did not have the appropriate training protocols and practices to respond to a cyberattack and that its staff was distracted. Because of this, proper care was not given to a newborn who tragically died as a result. The mother also claims that she was not informed of the cyberattack when it was happening and would have made different decisions if she had known that the hospital was dealing with an attack.

A Premera Blue Cross data breach that exposed the personal information of approximately 11 million individuals led to a $74 million settlement and multiple regulatory fines. The repercussions highlighted deficiencies in the company’s cybersecurity measures and raised questions about the role of its executives in overseeing the data. This reinforces the C-suite’s role in understanding the governance strategy.

Other high-profile ransomware attacks, including Universal Health Systems, Scripps Health, and Change Healthcare, have all led to significant operational disruptions and patient care delays, resulting in multiple lawsuits and regulatory actions targeting the C-suite. We believe these lawsuits will continue to evolve, and we will see more of them.

 

Reducing Liability and Increasing Legal Defensibility

As healthcare organizations face a growing litany of cybersecurity issues, a growing trend is emerging around executive accountability for their actions—or inaction. Executives are increasingly being held accountable for their organization’s cybersecurity posture.

As a result, healthcare organizations must foster a culture of security awareness and ensure that cybersecurity is prioritized at a strategic level, promoting a culture where cybersecurity is everyone’s responsibility. An open line of communication between IT leaders, the C-suite, and the board is essential so the entire leadership team understands cybersecurity.

While being sued may not be preventable, there are steps to help avoid being judged liable. Increasing defensibility comes by adopting best practices, including NIST CSF and NIST 800-53, HITECH, etc., and documenting how closely an organization follows them. Organizations also rely on maturity models to help with compliance and guide discussions with executives to identify gaps.

The deposition test is another tactic to raise defensibility. When making a cybersecurity decision, imagine being in a deposition about the organization’s policies, decisions, testing, and more. Are you comfortable with what the results would be?

 

The Evolving Regulatory Environment

The HIPAA Safe Harbor Bill, H.R. 7898, helps prepared organizations by ensuring the Department of Health and Human Services (HHS) considers whether an organization has made the appropriate investments in cybersecurity and reduces fines. By investing appropriately and following best practices, potential liability is reduced. Document everything.

As the regulatory landscape governing healthcare cybersecurity continues to become increasingly stringent, key regulations that many are familiar with, such as HIPAA and HITECH, mandate strict data protection and privacy standards. These regulations have evolved to place greater responsibility on the organization’s executives. They are now expected to ensure compliance with cybersecurity standards and implement robust measures. GDPR further exemplifies this trend with its stringent data protection requirements and significant fines for non-compliance.

The National Cybersecurity Strategy framework also seeks to protect critical infrastructure, including hospitals, from cyber threats. This strategy holds the position that ransomware threatens national security, public safety, and economic prosperity and that businesses should not pay ransoms to reduce the potential for profit from ransomware schemes. The FBI has stated that if an organization pays ransomware, it is automatically placed on the terrorist watch list because it is considered to be funding terrorism.

 

Steps and Best Practices for a Patient-Centric Incident Response

Have open discussions about ransomware, regulations, and cybersecurity practices and shift from solely protecting data to becoming more patient-centric. The following steps will assist in developing a more robust cybersecurity posture and stronger patient-centric incident response program:

  • Remaster existing incident response and recovery plans to become patient-centric
  • Conduct executive, clinical, and operational leadership education
  • Roll out ground force training, including rapid response, shift leadership, and emergency management
  • Integrate IT and clinical engineering
  • Invest in advanced security technologies, including intrusion detection systems, multi-factor authentication, and encryption
  • Conduct regular training and awareness for employees and maturity model assessments
  • Perform risk assessments to help identify vulnerabilities and address them proactively
  • Engage third-party experts to conduct independent audits and penetration testing
  • Test/update incident response plans to ensure their effectiveness
  • Foster collaboration across departments and ensure that cybersecurity is integrated into all business processes and decisions
  • Determine the organization’s risk tolerance and understand the level of investment required to increase defensibility
  • Maintain open communication with regulatory bodies to stay informed about changes and expectations

Overall, the changing landscape of cybersecurity accountability places greater responsibility on the C-suite to maintain organizational resilience. By adopting proactive measures and fostering an enterprise-wide culture of security, healthcare leaders can more effectively safeguard their organizations and uphold accountability in the face of growing cyber threats. To explore this critical subject in more detail, we invite you to listen to the on-demand webinar “The Changing Landscape of Cybersecurity Accountability in Healthcare,” provided to our CloudWave Cybersecurity Insider Program members.

Not a member? Join now for access to live monthly educational webinars, on-demand training sessions, threat intelligence alerts, and more. If you have any additional questions or want to discuss your cybersecurity strategy with one of our experts, please email customersfirst@gocloudwave.com.


Kelli Watson
Director of Product Management