



They’re a fish out of water They were given the HIPAA enforcement role but haven’t had the resources to support that role, said Mac McMillan, CEO of CynergisTek, a Texas-based company that helps organizations healthcare organizations to improve their cybersecurity.

Due to its tight budget, the Civil Rights Office has fewer investigators than many local police departments, and its investigators must handle more than 100 cases at a time. The bureau had a budget of $38 million in 2022, with the cost of around 20 MRI scanners potentially costing between $1 million and $3 million each.

Another problem is that the bureau relies on the cooperation of victims, the institutions targeted by the hackers, to provide evidence of the crimes. These victims may sometimes be reluctant to report breaches because HHS could then charge them with violating HIPAA and impose fines on top of the costs arising from the breach and the ransoms often demanded by hackers.

Depending on the circumstances, this may sound like blaming the victim, especially since hackers are sometimes funded or run by foreign governments. And it has raised questions about whether the US government should be doing more to protect health organizations.

In an Aug. 11 letter to HHS Secretary Xavier Becerra, Sen. Angus King (I-Maine) and Rep. Mike Gallagher (R-Wis.), former co-chairs of a cybersecurity commission that examined the hazard, have raised this point, questioning governments’ lack of robust and timely sharing of actionable threat information with industry partners.

A stronger hammer

The scope of the threat is enormous and the consequences of the violations grave. According to a 2021 survey by the Healthcare Information and Management Systems Society, more than two-thirds of healthcare organizations experienced a significant incident in the past year, mostly phishing or ransomware attacks.

These episodes lead to potentially significant financial consequences and can threaten the lives of patients. A recent report by cybersecurity firm Cynerio and the Ponemon Institute, a cybersecurity research center, found that approximately 1 in 4 cyberattacks lead to increased mortality by delaying care.

Experts have said the healthcare industry is particularly vulnerable to attack, partly due to its digital transformation and partly due to its vulnerability to ransomware. Disruption of care could endanger the lives of patients, which may require healthcare organizations to pay ransoms. In 2021 alone, hackers accessed nearly 50 million people’s records, raising privacy concerns and leaving many vulnerable to fraud.

The HHS office expects to see 53,000 cases in fiscal year 2022. In 2020, it had 77 investigators, some of whom are assigned to other things, like civil rights violations.

The Biden administration official who heads the Office for Civil Rights, Melanie Fontes Rainer, said her investigators had to choose their battles because they were incredibly resource constrained and incredibly overstretched.

She describes the issue as a funding issue, and the Biden administration has asked Congress to grant the agency a roughly 58% budget increase in fiscal year 2023 to $60 million, which would allow it to hire 37 new investigators.

But victim advocates want to be sure that these new recruits would rather help them prevent future attacks than penalize them for not stopping previous ones.

If the OCR is looking for money, it will protect the hospitals well. It’s the role of HHS not just to penalize the victim, said Greg Garcia, executive director of the Health and Public Health Coordinating Council, which represents a number of health care sectors targeted by hackers.

Essentially that’s what the bureau does, but fines are always possible and Fontes Rainer said more resources will yield more enforcement, which will encourage healthcare organizations to meet their obligations under of HIPAA. Tim Noonan, a senior civil servant under Fontes Rainer, also expects it will strengthen agencies’ ability to offer advice and technical assistance.

A budget increase will give us a stronger hammer, said Fontes Rainer. The app stops driving, but is also a deterrent to others.

In July, HHS levied its first major violation fine since President Joe Biden took office, $875,000 to the Oklahoma State University Health Services Center. Agency investigators found that the center may not have reported a breach in a timely manner, nor did it take steps to protect the data.

And Fontes Rainer is pushing for increased fines following a legal setback at the end of the Trump administration.

In January 2021, the 5th Circuit Court of Appeals overturned a $4.3 million fine the Civil Rights Office imposed on the University of Texas MD Anderson Cancer Center for data breaches. The court called it arbitrary and capricious, giving ammunition to critics of the bureaus’ enforcement efforts.

The Trump administration has imposed more than $50 million in fines related to violations over four years. But then-Civil Rights Office director Roger Severino also moved to lower fines for entities that did not deliberately disregard privacy law or take corrective action, saying that the board had misinterpreted the law.

A cop on the side of the road

If HHS were to move further away from law enforcement, it could lead to more neglect, some experts said.

More than half of the healthcare industry is woefully ill-prepared to protect against cyber threats, said Carter Groome, CEO of First Health Advisory, a healthcare risk management consultancy.

In organizations with few resources, this lack of preparation is understandable. But it’s not in large health systems.

We know of a CIO in a small, rural facility who is also responsible for everything from snow removal to checking air conditioning operation, said Tom Leary, vice president of government relations at the Healthcare Information and Management Systems Society. But if they have enough resources and they don’t fulfill their responsibilities, [enforcement] absolutely must be part of the process.

The Learys Group has found that cybersecurity budgets are often lean.

Stronger enforcement could prompt healthcare organizations to increase them.

You see a cop on the side of the road, you slow down. When you don’t, you may not necessarily be paying attention to how fast you’re going.

Deven McGraw, head of data management and sharing at biotech company Invitae

Others are more skeptical. The HHS app is like ninth on the list of reasons to have a good security program, said Kirk Nahra, a privacy attorney at the WilmerHale law firm, adding that an app aggressively could hamper the data sharing that the government is otherwise trying to encourage. Why would I let you in… if there’s a chance it’ll go wrong and I’ll get hammered.

There are other ways the government could help healthcare organizations improve their cybersecurity. Industry advocates point to two key areas: money for better defense systems and funding for workforce development.

John Riggi, national adviser for cybersecurity and risk at the American Hospital Association, called for federal support in worker training and grants to help organizations bolster their security efforts. And in his congressional testimony, Erik Decker, chief information security officer for hospital chain Intermountain Healthcare, called on the Centers for Medicare & Medicaid Services to consider developing payment models to directly fund cyber programs.

Unlike King and Gallagher, many industry players said they were encouraged by the progress in information sharing. The HHS Health Sector Cybersecurity Coordination Center helped, they said, and the public-private 405(d) task force and program received high marks for its work developing guidelines. guidelines to help healthcare organizations defend themselves. Congress called for collaboration in Section 405(d) of a 2015 law.

Still, King and Gallagher in their letter to Becerra said they were concerned that information sharing was not robust enough given the growth in cyberattacks. They called for an urgent HHS briefing and suggested they would be willing to propose funding and legislation expanding the agency’s new powers to tackle hackers.

