Does your healthcare organization have a “competent” cybersecurity program?

Most healthcare organizations realize that they need to follow HIPAA guidelines to protect their patient data. But what exactly does a competent cybersecurity stance look like in healthcare circa 2022?

It’s a question raised by a recent lawsuit filed in the State of California by plaintiff Vickey Angulo against defendant SuperCare Health, Inc. The Class Action Complaint alleges that SuperCare Health, Inc. failed to implement “adequate and reasonable cybersecurity procedures and protocols” necessary to protect patient data even though attacks against healthcare organizations and databases are a common occurrence.

The lawsuit claims that the defendant’s “incompetent” security measures are the cause of the breach, and now place all the members at risk of identify theft and fraud in perpetuity.

This brings us to our core question – what does a “competent” cybersecurity program look like? One could argue that a competent security stance successfully wards off all cyber-attacks, but that may be too lofty of an ambition. In fact, according to Ponemon, 89% of healthcare entities have experienced a data breach, and overall, the healthcare sector experiences more data security incidents than any other industry.

So, if we can’t rely on whether you’ve had a breach or not to determine the competence of a security program, then how do we measure? Returning to the Angulo vs. SuperCare lawsuit, we find some important information on what at least is being claimed as evidence of incompetence.

First, the defendant points out that, based on the statistics offered above, SuperCare should have known that a cybersecurity attack was imminent and, therefore, should have implemented a robust security program in anticipation of bad actors attempting to access their data. The lawsuit goes on to suggest that the defendant failed to meet minimum standards including several best practices, including:

  • Educating all employees
  • Strong passwords
  • Multi-layer security, including firewalls, antivirus, and anti-malware software
  • Encryption, making data unreadable without a key
  • Multi-factor authentication
  • Backup data
  • Limiting which employees can access sensitive data

In addition, the defendant asserts that the healthcare organization failed to implement the minimum standards of a cybersecurity framework, citing several examples, including NIST Cybersecurity Framework Version 1.1.

This information provides us with some key points to what is, then, the definition of competence. The lawsuit goes on to identify a long list of failures, which essentially walks through the domains of NIST controls and suggests that the organization failed to implement even the most basic of security requirements.

Among the key takeaways in the lawsuit is that merely following HIPAA is not enough. Organizations must take the cybersecurity threat seriously and move quickly to ensure that they have an established, organized, well-documented, and actively maintained cybersecurity program or face significant financial and reputational consequences. Statistically speaking, it’s no longer a question of if you’ll experience a breach, but when, and how bad. We now also must ask ourselves this: how likely is it that we could be sued for some type of negligence, and can we demonstrate competence in the face of such a lawsuit?

The lawsuit specifically references the NIST Cybersecurity Framework version 1.1, which can be downloaded here. NIST stands for the National Institute of Standards and Technology, and its cybersecurity framework is based on a core rubric:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

NIST offers a few different standards, but for healthcare, generally, non-federal organizations should focus on implementing the 800-171, while federal organizations would use the 800-53 framework.

The NIST 800-171 framework contains 110 controls that overlap with a significant number of relevant HIPAA controls. It is important to note that NIST is not entirely inclusive of HIPAA requirements. This means that an organization must evaluate its security program through various lenses’ including HIPAA, NIST, State Medicaid, Contract obligations, accreditation obligations, insurance requirements and other risk factors, including record storage count, IT system footprint, and threat landscape.

That said, obtaining the NIST framework, identifying the controls relevant to your organization, training employees, and encrypting your data, are concrete and actionable steps to move the needle towards a more competent cybersecurity program.

If the Angulo vs. Supercare lawsuit teaches us anything, it’s that there is an evolving definition of competence, and merely following HIPAA is no longer enough for healthcare organizations to mitigate the risk of breach or a downstream lawsuit. Organizations must run, not walk, towards the implementation of a robust cybersecurity program and be prepared for not only defending themselves against an evolving cybersecurity landscape but also an evolving legal landscape.