Cybersecurity in the healthcare industry

From HIPAA to the new healthcare hacking incidents after COVID-19, to the European Health Data Space (EHDS)

Adversaries search for only one vulnerability in the link consisting of systems and persons with authorised access, in the healthcare industry or the service providers. For exanple, in February 2013 the Community Health Systems (CHS), one of the largest healthcare providers in the USA with 80 hospitals in 16 states, explained in the FORM 8-K to the SEC:

"Community Health Systems, Inc. (the “Company”) was recently notified by Fortra, LLC, a third party vendor of the Company, that Fortra had experienced a security incident that resulted in the unauthorized disclosure of Company data. Fortra is a cybersecurity firm that contracts with Company affiliates to provide a secure file transfer software called GoAnywhere. As a result of the security breach experienced by Fortra, Protected Health Information (“PHI”) (as defined by the Health Insurance Portability and Accountability Act (“HIPAA”)) and “Personal Information” (“PI”) of certain patients of the Company’s affiliates were exposed by Fortra’s attacker.

Upon receiving notification of the security breach, the Company promptly launched an investigation, including to determine whether any Company information systems were affected, whether there was any impact to ongoing operations, and whether and to what extent PHI or PI had been unlawfully accessed by the attacker. While that investigation is still ongoing, the Company believes that the Fortra breach has not had any impact on any of the Company’s information systems and that there has not been any material interruption of the Company’s business operations, including the delivery of patient care. With regard to the PHI and PI compromised by the Fortra breach, the Company currently estimates that approximately one million individuals may have been affected by this attack.

The Company will ensure that appropriate notification is provided to any individuals affected by this attack, as well as to regulatory agencies as required by federal and state law. The Company will also be offering identity theft protection services to individuals affected by this attack. The Company carries cyber/privacy liability insurance to protect it against certain losses related to matters of this nature. However, the Company may have incurred, and may incur in the future, expenses and losses related to this incident that are not covered by insurance. While the Company is continuing to measure the impact, including certain remediation expenses and other potential liabilities, the Company does not currently believe this incident will have a material adverse effect on its business, operations, or financial results."

In the UK, the Covid-19 pandemic created new areas of vulnerability, including the need to protect and secure vaccine and health sector supply chains. One in five hacking incidents in the last 12 months were linked to the health sector and vaccines, according to the 2021 Annual Review of the National Cyber Security Centre. Launched in October 2016, the NCSC has headquarters in London and brought together expertise from CESG (the information assurance arm of GCHQ), the Centre for Cyber Assessment, CERT-UK, and the Centre for Protection of National Infrastructure.

In the European Union there are some major developments. The newly launched European Health Data Space (EHDS) is one of the main building blocks of the European Health Union, and a milestone in EU’s digital transformation. It affects all cybersecurity projects in the healthcare industry in the European Union.

According to the European Commission, during the early days of the COVID-19 outbreak in Europe, Member States took unilateral measures to protect their own populations. However, these uncoordinated measures were not effective in overcoming the virus. Reintroduction of internal border controls, for example, disrupted mobility and the daily life of millions of people living and working in border regions. They disrupted vital supply chains and prevented the flow of essential goods and services across the internal market.

Coordinating and where necessary pooling efforts at European level delivers more effective responses to the expectations of European citizens in an area which is consistently among their top concerns. Attention needs to be given to the risk of popular skepticism on health measures, that is partly triggered by an increase of disinformation on health issues.

The collective effort to fight the COVID-19 pandemic, as well as other future health emergencies, calls for strengthened coordination at EU level. Public health measures need to be consistent, coherent and coordinated to maximise their effect and minimise the damage for people and business alike. The health situation in one Member State is contingent on that of others. Fragmentation of effort in tackling cross-border health threats makes all Member States collectively more vulnerable.

In her 2020 State of the Union address, the President of the Commission called on Europe to draw lessons from the current crisis and build a European Health Union. As the experience of the pandemic is showing, gathering the EU Member States’ strengths helps overcome individual weaknesses. By working with the European Parliament and the Council towards a stronger Health Union, the EU can be equipped to prevent, prepare for and manage health crises both at the EU and global level, with all the societal and economic benefits that it would bring.

The European Health Data Space (EHDS) regulation in the EU improves access to and control by natural persons over their personal electronic health data in the context of healthcare (primary use of electronic health data), as well as for other purposes that would benefit the society such as research, innovation, policy-making, patient safety, personalised medicine, official statistics or regulatory activities (secondary use of electronic health data).

The EHDS also improves the functioning of the EU internal market, by laying down a uniform legal framework for the development, marketing and use of electronic health record systems (‘EHR systems’) in conformity with EU values.

Who benefits from the EHDS?

According to the European Commission, the European Health Data Space will empower individuals across the EU to fully exercise their rights over their health data. People will be able to easily access and share these data, while retaining greater control over them, fully in line with our overall EU approach to data protection.

At the same time, the work of health professionals will be made easier and more effective. With improved interoperability, health professionals will be able to access a patient's medical history across borders, thus increasing the evidence base for decisions on treatment and diagnosis, including when the patients' data is in another EU country.

By strengthening interoperability to support data exchange between healthcare providers within countries and across borders, healthcare providers will avoid duplications of tests, with positive effects for patients and healthcare costs.

Researchers will also benefit from a more direct way of obtaining access to data within a trusted and secure framework. Researchers will have access to larger amounts of high-quality data. They will be able to access the data in a more efficient and less expensive way, through a data access body that guarantees the privacy of the patients.

Regulators and policymakers will also have easier access to health data for policy making and for a better functioning of healthcare systems. This will lead to better access to healthcare, reduced costs, increased efficiency, more resilient health systems, new research and innovation and enable more evidence-based policymaking.

Industry will benefit from an EU-wide market for electronic health record systems, with the same standards and specifications. Greater availability of electronic health data will improve people's health, facilitate the production of innovative medicinal products and devices that offer better and more personalised care. Industry will be also able to develop new devices that use artificial intelligence technology.

According to Article 1, Subject matter and scope:

1. This Regulation establishes the European Health Data Space (‘EHDS’) by providing for rules, common standards and practices, infrastructures and a governance framework for the primary and secondary use of electronic health data.

2. This Regulation:

(a) strengthens the rights of natural persons in relation to the availability and control of their electronic health data;

(b) lays down rules for the placing on the market, making available on the market or putting into service of electronic health records systems (‘EHR systems’) in the Union;

(c) lays down rules and mechanisms supporting the secondary use of electronic health data;

(d) establishes a mandatory cross-border infrastructure enabling the primary use of electronic health data across the Union;

(e) establishes a mandatory cross-border infrastructure for the secondary use of electronic health data.

3. This Regulation applies to:

(a) manufacturers and suppliers of EHR systems and wellness applications placed on the market and put into service in the Union and the users of such products;

(b) controllers and processors established in the Union processing electronic health data of Union citizens and third-country nationals legally residing in the territories of Member States;

(c) controllers and processors established in a third country that has been connected to or are interoperable with MyHealth@EU;

(d) data users to whom electronic health data are made available by data holders in the Union.

The European Health Data Space builds further on the General Data Protection Regulation (GDPR), the EU Data Governance Act, the EU Data Act, and the NIS 2 Directive. Cybersecurity has become a very complex compliance project in the EU.

You can find more information at: European Health Data Space (EHDS) Training

In the USA, the HIPAA Privacy Rule establishes national standards to protect individuals' medical records and other individually identifiable health information (collectively defined as “protected health information”).

It applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.

The Rule requires appropriate safeguards to protect the privacy of protected health information and sets limits and conditions on the uses and disclosures that may be made of such information without an individual’s authorization.

The Rule also gives individuals rights over their protected health information, including rights to examine and obtain a copy of their health records, to direct a covered entity to transmit to a third party an electronic copy of their protected health information in an electronic health record, and to request corrections.

In the USA, there are challenges with the rulemaking to modify the Standards for the Privacy of Individually Identifiable Health Information (Privacy Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). Every development is a compliance challenge.

In the USA also, the new NIST Special Publication, Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide of July 2022, focuses on safeguarding electronic protected health information (ePHI) held or maintained by regulated entities. The ePHI that a regulated entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. This publication provides additional guidance and resources that must be used by regulated entities of all sizes to protect ePHI, and better understand the security concepts discussed in the HIPAA Security Rule.

Multinational entities in the healthcare industry must understand and implement the cybersecurity compliance requirements in the USA, the EU, and other countries. Cybersecurity experts must understand the law, and senior management and the Board must understand the technical requirements for the protection of the human element of security and the systems. This is becoming a very complex and difficult task.

Our training programs

Cyber Risk GmbH is offering training programs in some difficult areas, like the new NIS 2 Directive of the European Union that changes the compliance requirements of many entities in the healthcare sector, the European Health Data Space (EHDS) for EU and non-EU healthcare providers, and programs that assist the Board of Directors and the CEO in understanding cybersecurity challenges.

The Board of Directors and the CEO of entities in the healthcare sector must understand that they are high value targets. For them, standard security awareness programs are not going to suffice. The way they are being targeted is anything but standard or usual. They are the recipients of the most sophisticated, tailored attacks, including state-sponsored attacks. These are attacks that are often well planned, well crafted, and employ advanced psychological techniques able to sway a target towards a desired (compromising) behavior without raising any alarms.

Countries expand their global intelligence footprint to better support their growing political, economic, and security interests around the world, increasingly challenging existing alliances and partnerships. They employ an array of tools, especially influence campaigns, to advance their interests or undermine the interests of other countries. They turn a power vacuum into an opportunity.

Countries use proxies (state-sponsored groups, organizations, organized crime, etc.) as a way to accomplish national objectives while limiting cost, reducing the risk of direct conflict, and maintaining plausible deniability.

With plausible deniability, even if the target country is able to attribute an attack to an actor, it is unable to provide evidence that a link exists between the actor and the country that sponsors the attack.

You may visit:

Cybersecurity Training for the Healthcare Sector.

The NIS 2 Directive as it applies in the Healthcare Sector.

Preparing for the European Health Data Space (EHDS), for EU and non-EU healthcare providers.

Cybersecurity Training for the Board of Directors in the Healthcare Sector.

Cyber Risk GmbH, some of our clients