Chapter 3: Culture

Any attempt to positively transform cybersecurity within healthcare must be informed by an understanding of the cultural idiosyncrasies of the healthcare sector. By understanding the culture of healthcare from the start and identifying instances where the prevailing culture may directly conflict with beneficial cybersecurity measures, policy recommendations may be offered that both align with and shift cultural norms to ultimately support a healthy cybersecurity posture.

Atul Gawande’s book The Checklist Manifesto speaks eloquently of the importance and challenges of even simple culture change, through the mechanism of preoperative surgical checklists.¹ While there are many important points made in the book, fundamentally the work of patient safety is around culture change. For instance, much of the process and procedure added by presurgery checklists was focused on getting nurses, doctors, and anesthesiologists to communicate and share goals more clearly. This simple act of going through a checklist together aligned them and improved their dialogue, a major contributor to the lives saved from these interventions.

This chapter begins with an overview of the aspects of healthcare’s culture that affect the sector’s overarching approach to cybersecurity. Some of the specific cultural challenges in healthcare are summarized in the table below:

Table 1: Summary of Healthcare Culture Challenges

To address these challenges, the chapter offers policy recommendations for policymakers in federal and state government, as well as healthcare industry leaders. Our cultural policy recommendations are:

1. The Department of Health and Human Services Office for Civil Rights should showcase health systems with innovative privacy and security programs (3.1)
2. Provide multi-tiered information sharing for healthcare’s diverse practice environments (3.2)
3. Develop the cybersecurity equivalent of the nurse-to-patient ratio (3.3)
4. Hold boards of directors responsible for healthcare privacy and security (3.4)
5. Ease regulations to enhance the sector’s resource sharing capabilities (3.5)

Simply put, the primary mission of the healthcare sector is to save patient lives and keep individuals healthy. To achieve this mission, a healthcare organization must align its cultural priorities in a number of areas—from hiring a sufficient number of doctors and nurses to meet patient needs, to investing in new medical technologies and system infrastructures to support medical operations. Oftentimes, cybersecurity is relegated to a lesser priority or, in some cases, not seen as a priority at all. But emerging technologies are transforming healthcare and surfacing new threats. Failure to mitigate medical cybersecurity vulnerabilities places patients and healthcare organizations at risk of incurring real financial, reputational, and physical harm in the aftermath of a breach, making that healthcare organization unable to achieve its primary mission.

In this section, we explain healthcare’s cultural idiosyncrasies to help identify instances where the prevailing culture may directly conflict with beneficial cybersecurity measures and offer policy recommendations on how the two can be reconciled.

i. Diversity of healthcare stakeholders

There exists a diverse ecosystem that includes a range of healthcare organizations with different capacities and practice areas. The healthcare sector simultaneously refers to everything from single physician practices in rural localities to large, multi-state hospital networks with tens of thousands of clinicians. Of the 5,534 registered hospitals in the United States, the majority are community-run, including nonprofit hospitals (51.48 percent), for-profit hospitals (18.7 percent), and state and local government hospitals (17.28 percent). A small number of hospitals are not considered “community-run” hospitals and are either operated by the federal government (3.78 percent), can be considered non-federal psychiatric hospitals (7.17 percent), or fall into some other category (1.59 percent). Nearly two thirds of community-run hospitals are located in urban centers, with the other third located in rural areas.² Given the sheer size and range of players in the healthcare space, cybersecurity policy solutions must be similarly variegated to account for the individual capacities of different providers.

ii. Internal information sharing

The culture of open collaboration in healthcare stems from two places. First, the collaborative information sharing environment is the result of an exploratory and academic community in medicine that encourages teaching and sharing from the outset of a physician’s education. A second reason for a collaborative environment is largely practical: in an emergency situation, physicians and nurses must have immediate access to an individual’s health information. Some of the most widely discussed cybersecurity challenges that stem from this open and collaborative environment are related to securely sharing patient data and the inherent limits of interoperability in healthcare.

Consider the scenario where an emergency department must administer a certain drug, but is unable to pull up a medical record to see if their patient is allergic to that drug. Or the situation where a patient requires an immediate blood transfusion, but doctors are unable to access the medical records that contain the patient’s blood type. In these scenarios, if an emergency department does not have immediate access to the appropriate records and makes the wrong call, a patient could be killed.

In many industries outside of healthcare, cybersecurity professionals are able to restrict access to certain internal systems to only those authorized users who should be able to access that system. This approach is called role-based access control (RBAC). By the same token, multi-factor authentication, a common solution for verifying a user’s identity, works hand in hand with RBAC to ensure the right people are accessing the right data. However, in an emergency situation, blocking a nurse’s access to medical records with multi-factor authentication or RBAC—for instance, because the patient in question is not in the nurse’s typical practice environment—could be a lethal decision. Thus, healthcare providers choose to have an open information sharing environment with few traditional cybersecurity policies in place, which solves the emergency situation problem but introduces another threat: insiders who already have access to a medical record (see Threat Landscape section below).

iii. External information sharing

Cybersecurity information sharing between different healthcare organizations, like in many industries, is a complicated and multifaceted challenge. There is a diverse range of healthcare stakeholders with differentiated capacities, and the regulatory environment is sufficiently complex that it becomes difficult to meaningfully share information on emerging threats, such as those affecting new hybrid infrastructures.³ Furthermore, the amount of information shared across government and industry information sharing organizations is immense, creating a fire hose that is difficult to process, especially for small- and medium-sized healthcare organizations. In short, many organizations, especially smaller and more distinctive ones, are not well served by any of the numerous information sharing and analysis organizations (ISAOs), such as H-ISAC, HITRUST, NIST, and the FBI’s Cyber Health Working Group.

iv. Internet of Things (IoT)

There are a number of life-supporting medical devices that can be lethal if misused or compromised following a cyber incident. The devices most vulnerable to attack are so-called legacy medical devices. Legacy medical devices are outdated systems that continue to operate in the clinical setting despite having known cybersecurity vulnerabilities. Academic research and real-world incidents have on countless occasions demonstrated the worrisome consequences of poor medical device cybersecurity in legacy systems, including shutting off life-supporting implanted devices and disabling medical equipment found in operating rooms.⁴ On the privacy side, healthcare must also consider how the deployment of these devices creates HIPAA implications due to their role in collecting data—a position that many device manufacturers still shy away from—as well as their network-connected nature.

v. Rapid digitization and interoperability

The healthcare sector frequently discusses how new technologies and data analytics can be used to improve clinical outcomes. As discussed earlier, the proliferation of these technologies, including EHRs and medical IoT, creates a number of cybersecurity vulnerabilities.

Less frequently discussed is how the same types of technologies can be used to protect patient privacy and security. This oversight has led providers to be wary of tools and techniques that could be useful for protecting patients from cyber incidents and slow to adopt them. There is an underlying culture of “no” that has emerged around healthcare cybersecurity technology, which stands in contrast with the often eager adoption of new technologies that promise to directly improve clinical outcomes. For instance, the post-OPM breach report noted the value of an AI-driven solution in mitigating threats, demonstrating that it is time for all industries to embrace these types of tools.⁵ Health professionals tend to take an attitude of “if it ain’t broke, don’t fix it” to cybersecurity, not realizing that their long held methods and tools may actually have been broken the whole time. While this attitude is beginning to shift in some ways, the industry still needs to take more of a long-term perspective.

If healthcare continues to approach patient privacy and safety in the same way it always has, we risk an even greater number of cybersecurity disruptions that negatively impact clinical outcomes. Viewed through this lens, patient privacy and safety, and therefore cybersecurity, is a patient health concern. With regards to adopting cutting edge cybersecurity technologies in healthcare, there needs to be a shift away from the culture of “no” towards a culture of “yes… and let’s be thoughtful about how we introduce new systems.” This parallel track of investment and thoughtfulness about how healthcare uses these sophisticated techniques for defending healthcare institutions is important for continuing to deliver the best patient outcomes. It also means investing in healthcare-specific cybersecurity technologies that mesh with the healthcare sector. Going one step further, any innovation that is introduced into the healthcare ecosystem must be designed and implemented with cybersecurity as a fundamental priority from the beginning to the end of a technology’s life, as espoused by the “privacy by design” or “security by design” principles that have been incorporated into regulations like GDPR.⁶,⁷

vi. Personnel

While HIPAA effectively articulates key principles of patient privacy and security, implementation and compliance of these principles often follows rigid check-the-box approaches. This may not lead to effective privacy and security risk management because the checkboxes are unlikely to reflect best practices in risk management and substantial resources are allocated to compliance rather than actually managing risk. A fundamental shift away from the check-the-box approach is required, moving towards HIPAA implementation that is both comprehensive and integrated between privacy and security.

Healthcare organizations vary widely in their security reporting structures, but not so much in the issues they face. Many struggle to designate responsibility and accountability over cybersecurity. CISOs often assume responsibility for cybersecurity matters, but that is not always the case, particularly in smaller organizations that cannot afford dedicated security personnel. Health professionals may not leap at the chance to take on cybersecurity responsibility (even though many continuously interact with sensitive technology) because successful cybersecurity is often seen as avoiding a loss, not making a gain. Without a formal reporting structure, system of metrics that provides basic data on cybersecurity performance, or lead on cybersecurity issues, there is no way to ensure accountability and responsibility.

Exacerbating the issue of responsibility delineation, healthcare systems often silo privacy and security into very different parts of the organization. Privacy usually falls under regulatory-focused legal and compliance teams, while security is allocated to engineering-focused technical teams. Though they come from different backgrounds and possess very different skills, privacy and security departments share a single mission: to ensure the trustworthiness of patient treatment and data collection systems. It is increasingly apparent that separating healthcare privacy and security teams creates substantial challenges related to privacy and security protections, like long response times, slow evolution of programs, duplication of efforts, and lack of knowledge across silos. Non-healthcare companies, including those in the Fortune 500, less often have this siloed structure and health organizations need not have it either, despite the sector’s unique data sharing culture and regulatory environment.

vii. Budget

The healthcare sector writ large operates on margins that are much lower than those of other sectors (2.7 percent in health care,⁸ 7.9 percent average across all sectors.⁹) Limited resources, especially within small- and medium-sized entities, make investment into cybersecurity tools and technologies a difficult sell for most nonprofit healthcare organizations.¹⁰ To provide some context, while comparable industries spend about 8 percent of their budgets on structures intended to protect against traditional, external network threats, healthcare organizations generally spend around 1 to at most 5 percent of their budget on this problem.¹¹ For large organizations with an expansive attack surface, malicious cyber attackers and insiders create persistent threats that are difficult to thwart, even for organizations dedicating substantial resources.¹² Moreover, there is no standard benchmark on the most appropriate allocation of resources for cybersecurity per unit of scale in a health system, making it impossible for providers to weigh the expected margin of return for additional cybersecurity investments. Even non-budgetary benchmarks for cybersecurity systems, like the NIST Cybersecurity Framework¹³ or the ISO 27001 standards¹⁴, are difficult to translate into standards that can work specifically for the healthcare sector.¹⁵

The margin of 2.7 percent in healthcare for FY 2016 represents the average across the entire healthcare sector, which includes both large and small organizations. After disaggregating these groups, the largest healthcare organizations have higher total profits than small-sized healthcare providers (estimated at 6.7 percent), even though margins for patient care still remain slim for both.¹⁶ Small- and medium-sized organizations that are often rural and publicly owned struggle even more than larger organizations because of “dwindling payments, fewer patients, and an inability to compete against larger, better-funded systems when negotiating payment rates with commercial insurers.”¹⁷ These already thin margins for small, medium, and large health organizations are only likely to decrease in the future as providers struggle to reconcile rising costs.¹⁸

While the actual cost of robust cybersecurity programs varies, it does take some resources to get cybersecurity right, and most healthcare organizations think that they do not have adequate resources to implement state of the art monitoring programs necessary to protect their organizations. Healthcare organizations do have some leeway to make cybersecurity a strategic priority during budgeting season, however it is usually triaged in favor of other interests that are rightfully viewed as more critical (such as hiring additional clinical staff). Still, it is important to find ways to grow the cybersecurity capacity of healthcare organizations, even with the understanding that current budgets and budget priorities do not meet the need.

In one instance that is indicative of the wider problem, a healthcare delivery organization in West Virginia operated with such limited resources that it replaced its vulnerable computer systems only after a massive cyber attack completely corrupted them and shut them down, causing clinical workflow disruption and delay.¹⁹ As technology becomes even more infused in routine healthcare delivery, a cyber attack like the one in this example is likely to be even more catastrophic. This “wait until disaster strikes” approach is not uncommon. Most health systems administrators agree that their security budgets or IT infrastructure would only receive improvements after a serious, life threatening incident occurred.²⁰ Overall, constrained budgets have forced healthcare system to make strategic trade-offs during budgeting processes, and cybersecurity often loses out.

viii. Threat landscape

As with many industries, a challenge for healthcare privacy and security is the insider threat: those people who already have permissible access to a medical record. Insider threats typically fall within the domain handled by privacy teams due to the HIPAA implications of an insider threat. In healthcare, there are two big problems and trends in this regard. First, there are an increasing number of connections and linkages between individuals, healthcare institutions, information exchanges, and interoperable devices, which is incredibly beneficial for providers and patients alike. But simultaneously, there are no controls over who can access those records and devices. For instance, volunteers and first year medical students generally have unfettered access to medical records with virtually no controls in place to stop them from accessing or looking at records. Second, there is generally little risk of someone discovering an unauthorized access, aside from some regular reports or random audits. This is true of nearly every healthcare organization in the United States.

Despite these challenges, healthcare is at an inflection point, presenting numerous opportunities to reshape the culture of the sector according to a more positive and forward thinking vision. The next section describes these opportunities.

Taken together, the recommendations contained in this chapter set out specific measures needed to shift cultural norms surrounding healthcare cybersecurity. In five years’ time, patients should be able to trust providers to protect their personal health information, keep their life supporting devices safe from cyber threats, and continue to deliver uninterrupted healthcare services. The government may be able to help instill this culture through the creation and dissemination of clear security standards and best practice frameworks.²¹

These policy recommendations are directed towards federal agencies including HHS OCR, the Department of Homeland Security (DHS), the Office of the National Coordinator for Health Information Technology (ONC), the Agency for Healthcare Research and Quality (AHRQ), the National Institutes of Health (NIH), the Centers for Disease Control and Prevention (CDC), the National Academies, NIST, and others. Recommendations are also directed towards healthcare industry leaders, since the most impactful cultural change may result from a series of normative decisions made by individual providers.

Recommendation #3.1: The Department of Health and Human Services Office for Civil Rights should showcase health systems with innovative privacy and security programs.

Privacy and security teams in the health sector have a hard job. They need to be able to respond to any of a plethora of threats quickly, effectively, and within a complicated regulatory framework, while also building processes and optimizing organizational structure. Healthcare providers need a way to learn about how others have successfully met these challenges. According to behavioral scientists, the best way to spread positive organizational change is through articulating purposeful visions or “stories” for why change should happen.²² In order to effect change in the culture around healthcare cybersecurity therefore, OCR should utilize the levers at its disposal to tell stories about security role models.²³

Currently, most of the stories OCR and the rest of HHS tell are cautionary tales about data breaches. As of this writing, the OCR’s “Wall of Shame” includes, among many others, a Texas cancer research center that lost two unencrypted USB drives; a South Florida hospital corporation that allowed an attacker to steal data through the login credentials of a former employee; and a global cancer care service that let an attacker access data on over two million individuals, including names, social security numbers, physicians' names, diagnoses, treatments, and insurance information.²⁴

We suggest that in addition to the current, more punitive model, the OCR consider adding real world, positive examples of optimal risk assessment processes. This proposed “Best Practices Showcase” should highlight organizations that are cooperating effectively and thinking ahead about their holistic trust posture, rather than just checking off boxes on security and privacy requirements. The showcase would hopefully put forth forward-looking, health cybersecurity leaders as role models to others in the sector. This approach mirrors best practices in behavioral science, which recommend creating adaptive structures and processes focused on both positive and negative reinforcement.²⁵ The closest analog to this recommendation currently offered by HHS are the HIPAA case examples, which are woefully unspecific and totally anonymized.²⁶

One of OCR’s most challenging tasks in promoting positive role models would be to define what constitutes good cybersecurity practices. In doing so, OCR may want to look at how organizations address both privacy and security, in order to promote collaboration and integration between the two domains. It may even want to promote specific privacy-security collaborative activities, such as weekly privacy-security huddles, shared KPIs, and codeveloping risk agendas. The metrics described in Recommendation #3.3 may also help in identifying positive role models.

On top of defining a rubric for what measures quality in this so-called “Best Practices Showcase,” HHS should engage in research to find out how to design this program as to be most useful to the industry. Are hospitals interested in this kind of acclaim or do they fear it puts a target on their heads? Do patients consider cybersecurity when selecting a healthcare provider? Are there subsectors of the health system, such as mental health, where providers or patients are more interested in best security practices?

The answers to these questions may reveal that health systems are not interested in contacting OCR and opening themselves up to conversations with regulators. To mitigate this, OCR could start by piloting this program (as the FDA is currently doing with its “Expedited Access Pathway” program for medical devices²⁷) in order to take in lessons learned about good processes and insulate both providers and OCR in case this model turns out to be untenable. The program could also focus more on organizations that already have Corrective Action Plans, allowing them to get positive PR for work they have already done and protection from negative PR under nominal OCR experimentation. If needed, OCR could also offer monetary rewards and incentives. In order to facilitate these improvements, it goes without saying that Congress should appropriately fund OCR’s essential work, as these budgets have decreased or flatlined in recent years. These budgets could have specific line items for privacy and security education and incentives to ensure the money is spent roughly as outlined above.

By promoting best practices and highlighting institutions that go above and beyond, OCR can hasten the various cultural shifts needed across the healthcare sector to improve cybersecurity. This approach does not require OCR to give organizations all the answers. Rather, it empowers healthcare organizations directly by amplifying the great work already being done. Recognition is an easy place to start, but monetary rewards could be a possible next step to encourage cultural change.

Recommendation #3.2: Incentivize and provide structures for multi-tiered information sharing for healthcare’s diverse practice environments.

Not all healthcare providers have the same cybersecurity needs, and they certainly do not all have the same resources to meet those needs. A large regional IDN hospital might have a CISO and robust security operations center (SOC) in charge of constantly thinking ahead to ward off attacks. A single doctor’s practice might only have a sticky note on a computer asking employees not to share passwords. Healthcare professionals need ways to learn, share, and ask questions about the most up to date information on relevant cybersecurity issues. However, the design of these information sharing systems should be specifically tailored to the individual needs of small, medium, and large organizations.

Small organizations, like individual providers, should receive positive incentives for taking basic cybersecurity measures and undergoing education campaigns. The incentives can be modeled after a recent recommendation from AMA, wherein clinicians receive bonus points through the Merit-based Incentive Payment System (MIPS) track of the Medicare Quality Payment Program.²⁸ As AMA suggests, physicians should be recognized when they used certified and even non-certified health IT, or when they go above and beyond the requirements of HIPAA. To determine the exact criteria, AMA and AHA could leverage their existing relationships and lines of communication with healthcare providers to learn about the cyber needs of their constituents. Then HHS, with input from industry players, could determine the best tools and education solutions to address their issues. Finally, AMA and AHA could once again leverage their existing relationships to communicate and promote those programs back to their constituents. To clear the way for these campaigns, there may need to be regulatory exceptions for cybersecurity products added to the Stark Law and Anti-Kickback Statute (more on this in Recommendation #3.5).

Medium-sized healthcare providers such as individual hospitals or small systems are somewhat caught in an awkward middle, since they may be too large to benefit from basic tips and plug-and-play cybersecurity solutions, but too small to fund a dedicated cybersecurity team that can keep up with the latest developments in the field. To prevent them from falling through the cracks (and building off of the important emphasis of the Cybersecurity Task Force on Managed Security Services), DHS should subsidize their use of managed security service providers (MSSPs), potentially in the form of a tax credit. MSSPs would be able to take some of the burden off of medium-sized healthcare providers from managing their own cybersecurity. In managing multiple organizations, MSSPs would be able to participate in the cybersecurity information systems aimed at large health organizations.

Large health organizations like IDNs need the most breadth and depth of cybersecurity information. They require real-time knowledge of recent or ongoing attacks, cyber indicators, and threat analysis that provides insights into both external and internal threats with great sophistication. To this end, DHS should support research grants that test innovative approaches pioneered by these large organizations in sharing information through unified analytics platforms that build upon ISAOs and information-sharing groups. Traditionally, this approach has been focused on such grants as those that centered on creating ISAOs and ISACs, but we believe that large health systems themselves might have the most insight into how to pilot local, regional, and ultimately national collaborations. This “laboratory of democracy” approach, as with the states, would complement and overlap with, rather than replace, the very important efforts occuring at the national level. Examples of such collaborations might be interesting experiments about innovation around institutional sharing of SOCs between different health systems, AI-enabled platforms that continuously improve in accuracy as more health systems utilize them, and other high tech and low tech methods of learning from one another.

Recommendation #3.3: Develop the cybersecurity equivalent of the nurse-to-patient ratio.

One of the many key recommendations from the Health Care Cyber Security Task Force report that bears emphasizing and operationalization is that healthcare should consider implementing a “safe patient ratio” for cybersecurity. The core idea behind such a ratio is that in order to guide healthcare providers in their allocation of resources, there should be guidelines for how many team members, or how much budget, should be allocated to cybersecurity, per given unit of scale for a health system. Such a ratio, or basket of ratios, could be similar to the nurse-to-patient ratio mandated by California in 2004.²⁹

Simplifying such an elusive and multifaceted concept as cybersecurity into one or a few metrics comes with challenges. The most important step prior to setting a cybersecurity-healthcare ratio is actually to illuminate the factors that go into the numerator and denominator. It may therefore make more sense to say that X dollars must be spent on cybersecurity for every Y patients, or perhaps that one must have A cybersecurity professionals for every B beds at a facility. Many different permutations may exist, but there is not enough data yet to see how well organizations are performing with current cybersecurity resources and what these ratios should be. These high level metrics may be imprecise, but given the pressing cybersecurity challenges described in Chapter 1, more needs to be done to promote a data-driven approach towards cyber resource allocation.

Thus, the first step worth considering is an HHS-mandated and internally shared platform that compiles data on health system size and compares it to budget allocation for security and privacy. Metrics like incidents detected and resolved, budget allocated to cybersecurity, HIPAA complaints received, and more should be broadly provided, perhaps on a trial basis for some subset of thought-leading hospitals.³⁰ Many of these metrics are already publicly available, such as broad census data on patient flow and bed size, but questions of budgetary spending on cybersecurity or the number of cybersecurity-dedicated team members are more proprietary. Beyond the data needed for a safe patient ratio, this might be a good opportunity to capture information like board reporting structures, presence of certain technologies, and other similar questions.

With this information, it is possible to observe how the scale of organizations, resources allocated, and privacy- and security-related outcomes interact. This information could be used to inform a group like H-ISAC in developing a NIST Cybersecurity Framework specific to the health sector. H-ISAC and the Health Care Industry Cybersecurity Task Force may already have started work on these metrics. In order to provide for the analysis of factors that may contribute to or defend against breaches, de-identified information should also be made available to researchers in the field.³¹

Second, researchers and healthcare industry leaders can determine the appropriate measure that captures cybersecurity resilience in healthcare. A model should be created that forecasts the degree to which the factors affecting healthcare cybersecurity resilience should change according to the scale of an institution. In other words, a cybersecurity ratio. This cybersecurity ratio should take into account a variety of factors (see Table 2) and researchers should continually refine it as new technologies and security practices emerge. Specifically, researchers should develop more comprehensive, quantitative risk assessments based on the strengths and weaknesses of previous ratios, thus enabling a more refined and robust ratio that is constantly evolving.

In order to facilitate these efforts, HHS and other public and private grant-making bodies should set up data-driven challenges and grants to investigate sector-specific factors that lead to an effective (or ineffective) cybersecurity and privacy posture. These grants could take a variety of forms, ranging from competitive federal awards like those administered by HHS and the ONC for information-sharing to national awards for academic research in healthcare like the plethora of programs administered by the AHRQ, the NIH, the CDC, the National Academies, and others. A table of example numerators, denominators, and variables to measure success is provided below.

The overarching result following the establishment of a safe cybersecurity healthcare ratio is the illumination of discrepancies between the recommended and current cybersecurity levels. Organizations will be empowered to identify these gaps and move towards meeting recommended benchmarks.

Recommendation #3.4: Hold boards of directors responsible for healthcare privacy and security.

Cybersecurity is a strategic issue that warrants top level accountability, but not all healthcare organizations give it the requisite high-level attention. Many organizations have CISOs and chief privacy officers who assume authority over security and privacy matters, but outer edges of their responsibilities are often unclear. Without formal reporting structures, oversight for such hairy issues as privacy and security often fall through the cracks and accountability becomes impossible. This oversight can be seriously detrimental to health companies; a high profile cyber attack can bring about irreparable loss of reputation, loss of life, and bankruptcy.³² But by attending to issues of cybersecurity, a board of directors can signal to the rest of the company that security and privacy should be considerations in any decision from the outset. Even organizations too small or understaffed to have a single person dedicated exclusively to cybersecurity should clearly delineate responsibility.

The Centers for Medicare and Medicaid Services (CMS) can assure substantive board-level representation and minutes-documenting reviews of institutional cybersecurity postures by making them conditions for participation under Medicare. Approaches can be modeled after existing guidance and best practices from compliance programs, but the mechanism by which a cybersecurity lead reports to the board would have to be tailored to the size and structure of each health organization. For instance, this individual might be the CISO and have a literal seat at the table as a strategic member of the board. Alternatively, a smaller institution might have a combined vice president of privacy and security that reports to the audit committee of the board on a quarterly basis. What is important is the independent capacity to raise potential issues and gain visibility at the highest levels of the organization. Therefore, in its requirements the CMS should not hold health organizations to the unreasonable standard of having zero incidents but instead connect accountability to risk management and the right key performance indicators.³³

In addition, Congress should consider passing legislation for the healthcare sector modeled after the proposed Cybersecurity Disclosure Act of 2017³⁴ and New York’s Department of Financial Services’ first-in-the-nation cybersecurity disclosure regulation³⁵ to provide guidance on establishing board-level cybersecurity requirements. While the federal bill has not yet passed and the New York regulation could be strengthened by better defining certain baseline risk frameworks upon which to base threat assessments, both highlight the importance of board-level accountability and provide a models for industry and future policy interventions in other sectors, like the healthcare sector.

As a result of such important levers being exercised, healthcare systems would prioritize cybersecurity as a top level objective within their organizations and better security and privacy reporting standards would be implemented across the entire healthcare ecosystem. Existing cybersecurity requirements would be more closely followed leading to fewer exploited vulnerabilities and better responses post-breach. Most importantly, a culture of cybersecurity would be viscerally felt and lived from the highest levels of the organization, and teams responsible for its implementation would feel empowered, energized, and heard in their concerns and suggestions.

Recommendation #3.5: Ease resource sharing regulatory burdens to empower small- and medium-sized organizations.

(Author's Note: On October 10th, 2019, as this paper was going to publication, the authors were delighted to learn that HHS presented a Proposed Rule to update the Stark Law. This Proposed Rule had the goal of spurring value-based care arrangements, but with provisions that also allow for the donation or reduced-cost offering of cybersecurity protections and/or software to affiliated practices from health systems. While it is too early to comment on the implementation of this rule, and the proverbial devil will remain in the details, we are hopeful that this rule is very broadly interpreted to ensure that the wide array of locations between which health data are exchanged are all effectively covered by this exemption, given the significant networked vulnerabilities that exist in our current, highly-interoperable health data ecosystem.)

The Anti-Kickback Statute and the Stark Law prevent health professionals from using their powers of referral for their own gain by broadly regulating the kinds of resources they can share. However, these laws also stymie collaboration in cybersecurity, particularly affecting small and medium practices. For example, under the Anti-Kickback Statute, a large healthcare organization cannot provide a smaller partner with security technology to prevent it from becoming a supply chain liability. Under the same rules, a group of physicians may not be allowed to pool their resources in order to afford a third party cybersecurity provider. Even free software updates, security education, and technical support from health system technology developers may be illegal.³⁶

AMA³⁷, AHA³⁸, CHIME³⁹, HSCC⁴⁰, and other organizations have all released letters suggesting cybersecurity exceptions be made to the Anti-Kickback Statute and the Stark Law in response to a Request for Information from the HHS Office of Inspector General (OIG). These exceptions could legally protect cybersecurity best practices and encourage collaboration. Both the Anti-Kickback Statute and the Stark Law have mechanisms by which to allow for benign commercial exceptions. The OIG has the authority to promulgate new Anti-Kickback Statute safe harbors and issue requests for suggestions in that regard every year. The HHS OIG should explore the negative impacts of the Anti-Kickback Statute to see whether it is hindering meaningful industry collaboration on cybersecurity efforts and consider issuing or explicitly requesting comment on a new safe harbor exception for cybersecurity.

Similarly, the CMS has the authority to create new regulatory exceptions under the Stark Law. CMS should leverage this authority to enable meaningful cybersecurity collaboration.⁴¹ Already, both HHS and CMS have created exceptions regarding the donation of EHRs, and a similar approach should be taken with the sharing of cybersecurity resources.⁴²

The cybersecurity of small- and medium-sized healthcare organizations are disproportionately impacted by the Anti-Kickback Statute and Stark Law frameworks because they are less likely to have sufficient budgets to run secure practices. Relaxing the regulatory environment would enable meaningful industry collaboration, aiding the security of patients, payers, and providers alike.