This article was reproduced with permission from Bloomberg Law. Published August 29, 2024. Copyright 2024 Bloomberg L.P. 800-290-5460. For further use, please visit https://licensing.ygsgroup.com/bloomberg/.
In today's digital age, the health care industry is increasingly reliant on electronic health records and other digital systems to manage patient information. The shift has brought about significant advancements in patient care and operations; however, it has also created challenges related to data privacy, security, and protection. The recent hack of Change Healthcare's claims processing has demonstrated how systemically dependent—and exposed—providers are to breakdowns in security of these systems.
On February 21, 2024, Change Healthcare—a subsidiary of UnitedHealth Group and one of the largest payment processing companies in the world—was knocked offline by a cyberattack. Change, which processes nearly 40% of all medical claims, went dark—not for hours but for weeks.
The lack of modern data security protections and an ineffective data breach plan resulted in one in three Americans having their sensitive health information leaked into the dark web. It also created nearly catastrophic financial pressures on hospitals, pharmacies, and other providers who were suddenly left unable to submit claims for reimbursement. Without these receivables, providers scrambled to identify methods for securing funds to pay vendors and employees while continuing to provide medically necessary care or medications to patients, all with no assurance of when the crisis would end or if they would ever be reimbursed.
The Change cyberattack highlights the significant shortcoming of businesses, both large and small, in making substantial investments in data security and protection. Additionally, it underscores the immediate need to develop an effective breach plan for when a cyber incident occurs. New laws, regulation and guidance are rapidly being implemented throughout the United States and overseas and, as such, a comprehensive review of your company's cybersecurity compliance program is strongly recommended.
Increased Security & Reporting Requirements
The increased cyber threats by bad actors have resulted in heightened focus by federal and state regulators on cybersecurity and ensuring that the public is protected from such threats. For example, the U.S. Securities and Exchange Commission (SEC) issued new reporting requirements that went into effect on December 18, 2023, and New York state's Department of Financial Services (NY DFS) has implemented complex cybersecurity mandates. The new laws, regulations and guidance not only have increased the requirements for companies to take real action to prevent cyberattacks but also expand compliance obligations.
Indeed, UnitedHealthcare—the fifth largest company in the U.S. and the top ranked in health care—failed to implement the industry standard of multifactor authentication (MFA) to secure the server that was breached at Change. (Change Healthcare Cybersecurity Incident Frequently Asked Questions | HHS.gov). MFA requires a combination of factors to confirm a user's identify before granting access to files. For years it has been known that MFA improves data security and protection. For companies like pharmacies that also maintain credit card information and handle controlled substances, MFA should be being used to comply with the Payment Card Industry Data Security Standard (PCI DSS) and with the Drug Enforcement Administration's rules governing electronic prescriptions for controlled substances. (eCFR :: 21 C.F.R.Part 1311 -- Requirements for Electronic Orders and Prescriptions).
Specifically, New York's amendments to its cybersecurity regulations look to set a national standard. The regulations aim to integrate cybersecurity into business practices more effectively, with a focus on stronger standards, including improved access controls, more frequent risk assessments, and updated reporting requirements, including those for ransomware payments. (Governor Hochul Announces Updates To New York's Nation-Leading Cybersecurity Regulations As Part Of Sweeping Effort To Protect Businesses And Consumers From Cyber Threats | Department of Financial Services (ny.gov)). These new regulations may require a significant enhancement to and investment in cybersecurity protections and provide for additional investigative and enforcement rights for NY DFS. Certain regulations took effect immediately, while others will be become effective at a later date. The amended regulations apply to entities operating under authorization of New York banking, insurance, or financial services law, which includes health insurance companies and pharmacy benefit managers. Compliance with these regulations is a substantial undertaking that includes updating policies and procedures, training, and developing an incident response strategy. Going forward, New York's model could be expanded or adopted by other state or federal agencies. The framework also can serve as a guide to entities developing their own compliance programs.
The SEC's new disclosure rules apply to public companies but should signify to all entities the heightened emphasis on compliance and protection that is going to be required to meet industry best practices. These rules require, among other obligations, reporting of “material” cybersecurity incidents and make annual disclosures about cybersecurity risk management, and disclosure of the company's oversight of risks by the management, committees and board members. Like the NY DFS regulations, the new SEC requirements should serve as a model for developing a compliance program and the management and communication of cyber incidents.
Health care companies are in a unique environment, as the new cybersecurity laws and regulations are adding another layer to an already-complex area of compliance. Entities need to be aware of the differing, and sometimes inconsistent, requirements set forth in state and federal data breach laws that are in addition to HIPAA. Accordingly, retaining legal counsel that is familiar with both federal and state laws, regulation and guidance is critical to ensuring compliance. Moreover, as many cyber incidents arise out of the use of third-party providers, the due diligence in vetting those providers is also increasingly important, as they may not be subject to the same requirements.
Health Care Providers Must Take Data Security & Protection Seriously
In 2023 there was an unfortunate record 725 data breaches reported to the U.S. Department of Health and Human Service's Office for Civil Rights (OCR) involving 500 or more records, exposing more than 133 million records. Healthcare Data Breach Statistics (hipaajournal.com). Notably, OCR does not publish smaller breaches, which would undoubtedly increase the numbers exponentially.
All health care companies need to conduct a review and assessment of their practices and plans.
At a minimum, this should include:
- Compliance & data mapping: Evaluate whether your company's technology and legal compliance meet industry standards. Perform risk analysis, random tests, and audits. Review policies for authentication, reporting, and response plans. Perform data mapping to identify access points and back-up plans.
- Vendor due diligence: Review contracts and business associate agreements to determine whether vendors have represented that they meet or exceed data security and protection industry standards, have cyber insurance, and will protect your company in the event of a breach as a result of their scope of work. Interview your vendors to ensure they have proper protections and a breach plan.
- Develop a breach plan: Identify your breach team, including expert vendors, and make sure they know their roles in the event of a breach. This will help your company get back online faster and minimize the impact of disruptions.
Robust data security and effective breach response plans are of critical importance. As digital systems become more integral to patient care and operations, companies cannot afford to ignore the vulnerabilities they introduce. A cyber incident for a health care provider can result in financial and operational disruptions and, more critically, there are grave risks to patient privacy and health. It is imperative that health care providers prioritize and invest in advanced cybersecurity measures and compliance programs. They must also remain vigilant against emerging threats. By conducting thorough risk assessments and developing proactive breach plans, health care providers can better protect sensitive data and maintain trust in an increasingly digital world.