By Lee Kim, senior principal, cybersecurity and privacy, HIMSS
Healthcare cybersecurity professionals should look to the start of 2024 as an opportunity to look at their cybersecurity programs with a fresh perspective. Think about how well the program is performing, as well as how well it is being governed.
Engage both senior management and executives to be champions of the enterprise-wide cybersecurity program. Contemplate how security awareness initiatives and briefings can be re-invigorated for the new year.
Last, but not least, gauge how well your organization is doing in keeping up with technological advancements such as artificial intelligence, quantum computing, 5G, cloud computing, and the Internet of (Many) Things. Take the time to think of how your cybersecurity strategy can be refreshed in light of changing times. We are now in a new era.
More to come this year as we look to revealing the results of the 2024 HIMSS Healthcare Cybersecurity Survey during the first quarter of this year.
In April 2023, the U.S. Department of Health and Human Services (HHS) released the 2023 edition of the Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP). This set of guidelines and best practices for healthcare providers aims to improve both security and resilience.
The HICP is an example of recognized security practices for the healthcare industry. While the recognized security practices are voluntary, evidence that a regulated entity is adhering to recognized security practices may be considered as a mitigating factor in regard to audits and investigations by the Office for Civil Rights in accordance with the recent 2021 amendment to the HITECH Act. Regulated entities should demonstrate that they are actively and consistently using these recognized security practices and that they have been fully implemented.
The Office for Civil Rights and the Federal Trade Commission warned hospital systems and telehealth providers about the various privacy and security risks from online tracking technologies in July 2023. Covered entities need to understand exactly how protected health information is being used within its environment. This includes any processing that may be done on behalf of the business associate that is performing a function on behalf of the covered entity.
But even if an entity is not regulated by the Office of Civil Rights, it may be subject to oversight from the FTC.
Section 5 of the FTC Act prohibits “unfair or deceptive acts or practices in or affecting commerce.” In February and May of 2023, the FTC announced enforcement actions against vendors for the impermissible use and sharing of personal health information.
Companies that do not disclose that personal health information is sold and/or shared with third parties, despite promises to the contrary, may be in violation of the FTC Act. Additionally, failing to adequately protect personal health information may also be in violation of the FTC Act.
Furthermore, even if entities are not subject to HIPAA and the HIPAA Breach Notification Rule, they may be subject to the FTC and its FTC Health Breach Notification Rule.
In August 2023, NIST released a draft version of the Cybersecurity Framework 2.0. A significant new addition to the framework is the Govern core function. The core functions are now Govern, Identify, Protect, Respond, and Recover. Above all, robust governance is paramount for a well-functioning and effective cybersecurity program.
Further, cybersecurity supply chain risk management is integrated throughout CSF 2.0.
The final version of NIST CSF 2.0 is expected in early 2024. Additional resources can be found on the NIST Cybersecurity Framework resource page.
Also in August 2023, the U.S. Securities and Exchange Commission published its final cybersecurity disclosure rules amending certain requirements of U.S. publicly traded companies. These companies are now required to publicly report material cybersecurity incidents without unreasonable delay and no later than four calendar days after the determination of materiality has been made (Form 8-K).
Information on the management and oversight of the cybersecurity program is also required in annual filings (Form 10-K).
Finally, in December 2023, the US Department of Health and Human Services released a concept paper that announced the forthcoming healthcare sector-specific cybersecurity performance goals. The sector-specific cybersecurity performance goals are voluntary, but healthcare entities will be empowered to better plan and prioritize the implementation of robust cybersecurity practices.
Gain insights at the 2024 HIMSS Global Health Conference & Exhibition into how cybersecurity experts are safeguarding healthcare, expanding the digital landscape and ensuring the security of data. Discuss evolving strategies, investments and innovations.
Rachel Tobac, CEO of SocialProof Security, will deliver a keynote diving into the anatomy of trust exploitation in real world social engineering attacks, walking through step-by-step examples of attacks that happened during COVID-19, and identifying the steps to protect data, money, security and privacy from real world attackers. Explore cybersecurity programming at HIMSS24.
At HIMSS, our vision is to realize the full health potential of every human, everywhere. Be part of the community that’s transforming the global health ecosystem with courage, curiosity and determination.