Cybersecurity and Hospitals Four Questions Every Hospital Leader Should Ask in Order to Prepare for and Manage Cybersecurity Risks This resource was prepared exclusively for American Hospital Association members by Mary Ellen Callahan of Jenner & Block. ©2013 American Hospital Association Introduction need to have an awareness of cybersecurity risks, as well as a clear understanding of what their cybersecurity responsibilities are (and how they might intersect with other statutory and regulatory Cybersecurity has been a hot topic, both within requirements). This paper provides an overview the government and the private sector, for several of what cybersecurity is and addresses four ques- years. However, the issue recently has taken on tions that hospital leaders should consider when even greater prominence. Many organizations, thinking about cybersecurity and how it impacts from private media companies to the U.S. Depart- their organization: ment of Defense, recently disclosed cybersecurity (1) intrusions. Private sector chief executive officers Why should hospitals and hospital leaders (CEOs) and general counsels have consistently care about cybersecurity? identified cybersecurity threats as one of their (2) What should hospitals do in response to the top concerns.1 And in February 2013, President 2013 Executive Order on Cybersecurity? Obama issued an Executive Order on Improving Critical Infrastructure Cybersecurity with the goal (3) How can hospitals best protect their assets of improving cybersecurity and reducing cyber and manage cybersecurity risks? threats to the nation’s “critical infrastructure sec- (4) tors,” including the Healthcare and Public Health What are the roles of hospital leadership Sector. Despite the attention cybersecurity has and how can leadership stay informed received, not everyone knows what cybersecurity about cybersecurity threats to the hospital? is or what it really means for American businesses, This paper is intended to make the cybersecurity particularly for those in the critical infrastructure issues specifically facing hospitals concrete, iden- sectors referenced in the president’s executive tifiable and actionable. It includes an appendix order.2 that provides an overview of the 2013 Executive Hospitals and health care organizations fall into Order on Cybersecurity and a glossary of the the Healthcare and Public Health Critical Infra- cybersecurity terms used in general discussions structure Sector under federal law and policy; the of cybersecurity and in this paper. executive order uses the same critical infrastruc- ture classifications when identifying the potential impact on the U.S. economy by cybersecurity threats. In other words, the executive order and other government policies collectively identify hospitals’ systems and assets as so vital to the U.S. that their impairment would severely threaten public health and safety.3 As a result, hospitals 1 I. Why should hospitals and hospital leaders care about cybersecurity? Cybersecurity vulnerabilities and in the attached glossary. Whatever the cause intrusions pose risks for every of the intrusion, the reputational, structural and, potentially, financial impacts for a hospital may be hospital and its reputation. the same. Industrial espionage intrusions against The expanded use of networked technology, hospitals, for example, have resulted in the theft Internet-enabled medical devices and electronic of information about innovations in medical databases in administrative, financial and clini- technology, including system documentation, cal arenas not only brings important benefits for beta and pilot testing reports, and research notes. care delivery and organizational efficiency, it also Other cyber criminals, whether part of crimi- increases exposure to possible cybersecurity nal organizations or acting independently, have threats. Many medical devices and other hospital attempted to penetrate hospitals and health care assets now access the Internet – both in encrypted companies to steal employee data and personally and unencrypted fashion. Billing systems use identifiable information and PHI of patients to sell electronic transfers, medical devices upload vital in online black markets. There even exists the statistics in real time to electronic health records, threat of cyber terrorism against a hospital, which hospitals allow patients and visitors access to might include attempts to disable medical devic- hospital WiFi as a courtesy, patients are being es and other systems needed for the provision of provided access to protected health information health care. (PHI) via authentication on the Internet – all of The Food and Drug Administration (FDA) recently these are important and vital aspects of a modern acknowledged this medical device vulnerability hospital ecosystem. In addition, email systems are when it issued an alert and draft guidance rec- subject to common threats like “spear-phishing.” ommending that medical device manufacturers The number of cyber attacks on American assets and health care facilities take measures to protect has been increasing, particularly in the critical against cybersecurity intrusions that could com- 4 infrastructure sectors such as information tech- promise device performance and patient safety. nology and communications. Although not as This could take the form of a direct attack or could prominently discussed in the media, attacks be used to multiply the impact of more convention- against the Healthcare and Public Health Sector al types of terrorism that result in mass casualties. also are increasing. There are several different Members of the Healthcare and Public Health types and causes of cybersecurity threats, the Sector to some extent already have a unique per- names and descriptions of which can be found 2 spective on data security because of the security which recommends that publicly traded com- requirements of the Health Insurance Portability panies disclose to the public both cybersecurity and Accountability Act (HIPAA) and the Health vulnerabilities and intrusions.6 Prior to the SEC’s Information Technology for Economic and Clinical release of this guidance, even companies without Health Act (HITECH). These laws not only require HITECH reporting requirements often would pub- hospitals and other health care organization to licly disclose a data breach after it had occurred; keep patient PHI secure, but also include data but companies were less consistent about report- breach notification requirements, which mandate ing a cybersecurity vulnerability in the absence breaches be reported to the Department of Health of a data breach or intrusion. The SEC is revis- and Human Services (HHS). iting whether the 2011 guidance is sufficient. Of particular note, during the two and a half years But cybersecurity encompasses much more than following the initial SEC guidance, agency staff what is required by these laws. Notably, cyberse- contacted several companies that had not dis- curity intrusions are not limited to data breaches closed adequately (in staff’s opinion) cyberse- involving PHI. Rather, as noted above, the intent curity vulnerabilities or intrusions. In light of this of the intrusion may be to seek information about fact and the heightened interest in cybersecurity, medical innovations or technologies or may seek publicly traded hospitals should consider whether to harm patients by remotely disabling or modi- to make any disclosures in their SEC filings con- fying medical devices. Indeed, certain “hacktiv- cerning cybersecurity vulnerabilities and breach- ists” may seek to disrupt a hospital’s network or es, in addition to notifying HHS, as appropriate, systems merely for their own personal or political when there is a data breach involving PHI. reasons. As a result, the hospital’s cybersecurity investigation and incident response plan, dis- In short, every hospital should care about cyber- cussed in more detail below, should be developed security. As hospitals benefit from networked broadly to protect all of a hospital’s assets and technology and greater connectivity, they also devices. must ensure that they evaluate and manage new risks. Taking steps to improve the security of In addition to HIPAA and HITECH, hospitals also each device and the ecosystem, such as docu- need to keep in mind additional recommenda- menting the way the devices interact with each tions and guidance. For example, the Centers other and raising the audit trail capability of the for Medicare & Medicaid Services (CMS) has hospital infrastructure, can mitigate the threat to provided a series of information security policies the hospital’s overall infrastructure and reduce 5 for hospitals and is expected to update those cybersecurity risks. policies to expressly include cybersecurity recom- mendations. Moreover, publicly traded hospitals should keep in mind the Securities and Exchange Commission’s (SEC) October 2011 guidance, 3 II. What should hospitals do in response to the 2013 Executive Order on Cybersecurity? In response to the president’s When completed early next year, the Cyberse- Executive Order on Cybersecurity curity Framework will be voluntary for critical infrastructure-sector organizations such as hos- (and as a corporate best prac- pitals; for federal departments and agencies, in tice), hospitals should develop contrast, it will be required. Importantly, although a cybersecurity investigation the framework is designated as “voluntary” for private-sector owners and operators of critical and incident