President Ronald Reagan famously quipped, "I think you all know that I've always felt that the nine most terrifying words in the English language are: I'm from the Government, and I'm here to help."1 At an Oct. 23-24, 2024, conference held by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and the National Institute of Standards and Technology (NIST), thousands of in-person and virtual attendees learned that the government is willing and able to provide significant help to the healthcare industry regarding data security. Dozens of government speakers gathered in the Great Hall of the Hubert H. Humphrey Building in Washington D.C., and shared practical insights regarding how healthcare industry stakeholders can safeguard data. Joined by the Federal Trade Commission (FTC), Food and Drug Administration (FDA) and the Office of the National Coordinator for Health IT (ONC), this was the first conference OCR and NIST have held on the Health Insurance Portability and Accountability Act (HIPAA) Security Rule since 2019. Here are some highlights.
Cybersecurity in Healthcare Keynote
HHS Deputy Secretary Andrea Palm kicked off the event with a sobering statistic – there was a 93 percent increase in large healthcare breaches and a 234 percent increase in ransomware attacks from 2018 to 2022. In alignment with a mandate set out in the Biden Administration's national cybersecurity strategy plan2 HHS has prioritized ways to strengthen accountability for data security by leveraging the voluntary Cybersecurity Practice Goals (CPG), but also by supporting the sector financially in these efforts. Palm emphasized the "imperative of all of us as a coordinated organization to keep patient information safe." She emphasized the importance of coordination by noting that there are "too many doors" when engaging with the federal government on cybersecurity and offered the possibility of a one-stop shop where HHS could provide assistance. Locating resources is a challenge that HHS acknowledges. HHS has four objectives, said Palm, 1) develop processes to leverage and promote comprehensive grant programs (CGP), 2) provide financial support to improve cybersecurity, particularly for rural health organizations, 3) ensure that organizations are held accountable for lack of cybersecurity strength through department-wide enforcement strategies and 4) increase HHS's incident response activities through improved federal coordination.
Healthcare Cybersecurity Threat Briefing
HHS Cyber Security Operations Cyber Threat Intelligence Branch Chief Rahul Gaitonde discussed major security-related threats currently at play, including QR code phishing, zero-click exploits and the use of artificial intelligence (AI) to democratize the capabilities of threat actors. His overview attributed increased threat activity to advancing sophisticated attack methods, geopolitical tensions giving rise to more nation-state support for the actors and the evolution of threat vectors, such as uses of AI that make phishing, vulnerability scanning and malware easier and "hyper charging" what is already available to the threat actors. Gaitonde noted that identification and prosecution of advanced persistent threat (APT) attack actors is complicated by the unstructured format of the teams responsible for these attacks. Unlike ransomware organizations, APT actors rarely form organizations, but instead assemble temporarily solely for the concerted activity. He noted that ransomware groups are more formally organized. He discussed some of the most prominent hacking and ransomware groups targeting the healthcare industry. One reason healthcare is an attractive target, Gaitonde noted, is that healthcare records are among the most complete in terms of the amount of personal data contained. He noted that quantum computing will make attacks faster. For the future, he predicted increased attention to quantum computing to provide greater protection against its uses by threat actors, AI-driven defenses, evolving regulations and increased focus on Zero Trust architecture.
Federal Trade Commission (FTC) Policy and Enforcement Update
FTC Division of Privacy and Identity Protection Attorney Ryan Mehm noted that the FTC has authority over both HIPAA and non-HIPAA covered entities to protect consumers and prevent competition. The FTC and OCR have brought cases jointly against healthcare entities. The FTC enforces privacy and security failures as a Section 5 FTC Act3 against healthcare organizations that make false promises regarding how they protect information and under the FTC health breach notification rule that was amended in July 2024 for failing to provide notice of a breach.4 Among other things, the changes make clear that privacy notices buried in an app will be insufficient and how information is used must be consistent with consumer expectations. The amended rule aligns breach notification timing with HIPAA. Mehm pointed out that the FTC will also enforce other federal privacy laws, such as the Opioid Addiction Recovery Fraud Protection Act of 2018 (OARFPA). Mehm closed by noting that health information is not limited to diagnosis and treatment information, but that the FTC considers email addresses as health information when connected to a healthcare organization, FTC will continue to enforce uses of advertising technology (adtech) in healthcare, FTC will increase its focus on direct-to-consumer health apps and that the FTC has stepped up enforcement of organizations promoting products as compliant with HIPAA.
Medical Device Cybersecurity Overview
FDA Senior Cyber Policy Advisor with the Division of Medical Device Cybersecurity Jessica Wilkerson discussed 524(B) of the Food, Drug and Cosmetic Act, which requires that cybersecurity information be submitted for certain premarket device applications and submissions. Cyber device manufacturers must also provide a software bill of materials (SBOM) for the software components contained within the device. She emphasized that cybersecurity cannot be used as an excuse for not making devices interoperable. Wilkerson pointed out that the FDA has established both a pre- and post-market cybersecurity review by the agency to assure that products on the market live up to the pre-market submission representations.
Medical Internet of Things and IoT Cybersecurity Panel Discussion
This panel (comprising representatives from NIST, FDA, OCR and the Veterans Health Administration) noted that Congress mandated that the U.S. Department of Commerce have an advisory board to discuss the Internet of Things (IoT). The advisory board released 100 recommendations in a report published on Oct. 22, 2024.5
Acknowledging the unique issues around medical device security, the panel discussed the important of risk analyses, including identification of all locations of electronic protected health information (PHI), and emphasized that a risk analysis should not be generic or a one-time event. It should address risks to PHI as the data flows into and out of devices and be an ongoing process. The FDA's position is that devices need to be resilient and safe. The FDA noted that the priority of security must be balanced against the need to promote interoperability and patient safety. For instance, as pointed out by Wilkerson, implementing multi-factor authentication (MFA) security on some devices, such as a defibrillator, may create a safety concern that outweighs the need for the security standard.
NIST Privacy Framework Overview
NIST Privacy Policy Advisor Dylan Gilbert re-introduced the updated NIST Privacy Framework released in 2020,6 discussed its structure and noted that the NIST privacy framework is voluntary. NIST is not a regulatory agency, but partners with agencies, such as OCR, to establish standards and resources to assist with data privacy and security compliance. There is no one way to implement its recommendations. NIST takes a risk-based approach that is law, technology and sector neutral. Gilbert announced an update to the framework, Rev 1.1, with the draft to be released January 2025 to incorporate an AI risk management framework among other updates.
NIST SP 800-66r2 + Risk Analysis/Risk Management Discussion
This panel discussed the version of the NIST HIPAA Security Rule (SP-800-66 Rev. 2) resource guide issued in February 2024.7 The document serves as a resource, but it is not the only way to implement the rule. The panelists emphasized that a gap analysis is not the same as a risk analysis, even though some areas of the Security Rule are meant to mitigate risk.
They discussed the HIPAA Security Risk Assessment Tool (SRA Tool) available online through ONC.8 The SRA Tool, alone, may not be sufficient to serve as an entity's HIPAA risk analysis because the entity needs to be able to understand the risks to electronic PHI in its particular environment. The SRA Tool is a point-in-time questionnaire, so it may not sufficiently identify technical vulnerabilities. In addition, the panel emphasized the need to have documentation available that is much more granular than a summary report, board-level presentation or aggregate results when responding to OCR data requests and that the OCR needs the "full report." Finally, Nick Heesters (OCR) reiterated that cybersecurity standards must be viewed through the lens of the general HIPAA rule requiring standards to "ensure the confidentiality, integrity, and availability of all ePHI."
HHS Cybersecurity Activities Discussion Panel
This panel, a combination of OCR, Assistant Secretary for Technology Policy (ASTP/formerly ONC), HHS Administration for Strategic Preparedness and Response (ASPR) and FDA representatives and the HHS Advisor to the Deputy Secretary discussed security challenges involving medical devices. A top concern is patient health and safety. Malware can lock down scanners and pose an immediate threat to patients. Jessica Wilkerson, a senior cyber policy advisor at FDA, noted the risk of "one to many" incidents, where one organization gets infected and it shuts down many others.
The panel discussed the importance of thinking beyond cyber attacks and malicious threat actors. Internal inadvertent incidents are frequent. An incident can happen as easily as an unintended accidental software misconfiguration or a coffee spill on a server.
With respect to protecting against ransomware, incident response planning is key. Converting to paper is not a solution and testing a process designed to mitigate impact on an organization is imperative. The Cybersecurity & Infrastructure Security Agency (CISA) within the U.S. Department of Homeland Security has a number of ransomware resources.9
The panel discussed the need for interoperability and prohibitions on information blocking. Actors are supposed to share health data, and if they cannot, they must qualify for an exception. For example, if a system is down, there is an exception related to health IT performance that may apply. When asked how an actor can maintain data security in transmitting electronic health information (EHI) to a patient requested app if it is impermissible to vet a patient requested app, the speakers were emphatic that security of EHI after transmission to a patient requested app is not a concern and the app does not have to be trusted by the provider. PHI must be disclosed to patients via apps of their choosing if the app is able to connect using the patient's authentication credentials.
The panel discussed a plethora of guidance available to healthcare organizations ranging from OCR webinars, such as those given by Heesters, to the free vulnerability scanning tool offered by CISA. Questions from participants emphasized the need for a one-stop location providing access to all of the federal guidance and compliance tools.
OCR Policy Updates
A Notice of Proposed Rulemaking to strengthen the HIPAA Security Rule is under review with the U.S. Office of Management and Budget, and may be published before the end of 2024. Not surprisingly, HHS OCR Senior Advisor for Health Information Privacy, Data, and Cybersecurity Policy Marissa Gordon-Nguyen did not describe the pending proposals. Instead, she discussed the history of the Security Rule and its basic framework regarding confidentiality, integrity and availability, referred to as the "CIA Triad." She stated that the concepts in the original Security Rule remain relevant and, "The Security Rule remains evergreen … but that doesn't mean it must remain static." She indicated that there is support for an updated Security Rule informed by changes in technology and the government's enforcement experience.
HHS OCR Keynote
HHS OCR Director Melanie Fontes Rainer discussed the functions of OCR, which is a small office with the large task of enforcing both HIPAA and federal civil rights laws. OCR has staff in 11 cities. Summarizing the increased enforcement focus of OCR, Fontes Rainer noted that the HIPAA "Risk Analysis Initiative" has been launched because, despite years of OCR guidance on the standard, a risk analysis is being flagged in four out of every five enforcement actions and it is clear that risk analysis is not a priority and, if done, is "put in a drawer and ignored." There will be increased attention in enforcement and rulemaking to address this trend. She said to expect a "robust update" to the HIPAA security rule that provides more framing around the security risk analysis, addresses changes in technology (since this is the first update in 20 years), and is intended to make the healthcare sector more secure.
Fontes Rainer announced that Change Healthcare notified OCR that it has now delivered over 100 million notices to individuals and observed that the form of the notices is causing consternation among the recipients. OCR's investigation of the Change Healthcare breach was made public in an effort to be more transparent.
Fontes Rainer encouraged participants to email HHS OCR Deputy Director Tim Noonan with questions as these help inform additional guidance such as the FAQs.
AI in Healthcare Keynote
HHS Assistant Secretary for Technology Policy, National Coordinator for Health Information Technology, and Acting Chief Artificial Intelligence Officer Dr. Micky Tripathi opened by discussing the strategic plan for ASTP to develop policies and processes for AI that "close general healthcare disparities" and "make sure that AI doesn't encourage separation." Dr. Tripathi discussed a number of potential advantages to AI, such as reducing costs of healthcare, cultivating AI-empowered workforces, creating opportunities across the value chain for more equitable delivery of healthcare (particularly for underserved therapeutic areas), improving medical product safety and allowing the industry "to get more signal from noise." With data interoperability, Dr. Tripathi continued, providers do not have the ability to consume so much information and know what they are responsible for, so AI can help cull through the data. He discussed how "data is the fuel for AI innovation." Dr. Tripathi pointed to key areas for consideration as reidentification risk, data "greediness" and AI development in alignment with HIPAA ("within the covered entity four-walls"). Dr. Tripathi discussed the AI-empowered patient may be most transformative for the industry. Patients will be able to access all of their data and then use AI to obtain greater insights into their own healthcare.
HHS AI Panel
The panel comprising representatives from OCR, FDA, CMS, ASTP, NIH and NIST discussed a variety of issues including the need for quality representative data for AI modeling, risk to patients, life-cycle management, guidance development, the need for risk management systems to address AI, and post-market evaluation of AI through FDA regulation. The panel acknowledged that the large quantities of data present with the Centers for Medicare & Medicaid Services are available as data sources and the advantage AI offers in reimbursement decision-making. CMS is involved in an agency-wide process to clarify how existing regulations will inform and govern development and uses of this new technology.
Kathryn Marchesini, Chief Privacy Office for ASTP, discussed the fact that, by Jan. 1, 2025, the Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI-1) final rule will require developers of certified health IT to meet new AI-related certification criteria and disclose sources of data and other information attribution to facilitate trustworthiness and transparency for users of predictive Decision Support Interventions (DSI) (formerly known as clinical decision support tools). Heesters, OCR, discussed the relationship with another HHS regulation, the Affordable Care Act Sec. 1557 (amended effective July 2024) that establishes nondiscrimination obligations for healthcare providers. Among the requirements, providers must make reasonable efforts to identify discriminatory impact in uses of AI and take actions to mitigate discriminatory impact. The application of risk management strategies to DSI was emphasized.
With respect to AI development, Heesters, a Senior Advisor for Cybersecurity with OCR, noted that speed to market seems to be the priority for developers of AI tools, with security being an afterthought.
Dr. Susan Gregurick, NIH, discussed the various grant development opportunities and AI initiatives made available through NIH and a focus on making AI available for rural health providers to improve access to care in those communities.
The panel discussed ethics and AI. The acronym FAVES was used to describe the idea that outcomes should be aligned with fair, appropriate, valid, effective and safe AI principles and inform health equity by design in the development of AI.
Small and Rural Cybersecurity Considerations Panel Discussion
This panel, consisting of NIST, CISA, COMMHit (a 501(c)(6) nonprofit) and HHS 405(d) representatives, discussed the challenges that rural health organizations face and the fact that cyberattacks are not reserved for big targets – small facilities in rural areas are attacked as well. Recognizing that rural health providers face unique challenges, not the least of which is financial, they pointed to a plethora of free resources to help healthcare companies of all sizes – both large and small – and discussed practical solutions such as use of National Guard cybersecurity staff, college/graduate computer science student interns, and other "free" or low cost options. Helpful tools can be found at a number of sites including:
NIST Cybersecurity Framework 2.0 + Resources Overview
The NIST Cybersecurity Framework was not updated for many years, and NIST National Cybersecurity Center of Excellence (NCCOE) Director Cheri Pascoe walked attendees through the updated Cybersecurity Framework 2.0 released in February 2024.10 The updated framework has been incorporated into the NIST Cybersecurity Privacy Reference Tool (CPRT) to enable healthcare organizations to export applicable NIST frameworks into Excel or similar format document to manage data collection for risk management. Pascoe reiterated prior statements that cybersecurity risk management is not an annual or one-time event, but is an ongoing process. She pointed participants to the updated NIST Incident Response publication (SP 800-61 Rev. 3) released April 202411 and announced future release of an integrated Cybersecurity and Privacy Framework Profile for Genomic Data.12
NIST National Cybersecurity Center of Excellence Healthcare Cybersecurity Project Updates
This panel consisted of the NCCOE director, and several private healthcare sector participants (MedCrypt, CareFirst BCBS and MITRE Corp.) and discussed the value of the NIST Cybersecurity Framework in managing cyber risks and operations. Specifically the panel discussed recent FDA device policy development arising out of analysis of risks associated with infusion pumps, PACS, and remote patient monitoring. They emphasized the importance of practicality in cybersecurity policy development, implementation and management as well as being cognizant of the barrier to innovation and availability resulting from over-zealous security management.
Workforce Framework for Cybersecurity (NICE Framework)
In addition to providing policies, standards and guidance, NIST through the National Initiative for Cybersecurity Education (NICE) offers a NIST cybersecurity workforce framework (SP 800-181)13 and education, training and workforce development resources for organizations. As discussed by NIST NICE Framework Lead Karen Wetzel, the tools provided through NICE inform hiring and job descriptions and roles and empower the workforce through robust cybersecurity education. As a nonprofit, the NICE Framework and resources are free tools for healthcare organizations. To encourage cybersecurity careers, Wetzel pointed participants to the National Institute for Cybersecurity Careers and Studies (NICCS) that provides a Cyber Career Pathway tool that interacts with the NICE Framework.14
HHS OCR Enforcement Update
HHS OCR Senior Advisor for HIPAA Compliance & Enforcement Emily Crabbe gave the final presentation, which was one of the highlights of the conference. With good humor and an engaging style, she walked the audience through some of OCR's concerns and the most prevalent HIPAA deficiencies and enforcement priorities. She noted that OCR handled almost 32,000 cases in 2023, resulting in 139 settlements and 10 civil money penalties. An encouraging fact for the industry is that fixing the identified problem resolves the investigation in the vast majority of cases.
The importance of a risk analysis was noted throughout the conference, and Crabbe added to that emphasis by noting that risk analyses need to happen all of the time on an ongoing basis. She discussed OCR's "Risk Analysis Initiative," designed to encourage better practices to protect health data because many large OCR breach investigations focus on a lack of an accurate and thorough identification of the threats and vulnerabilities affecting electronic PHI. While the OCR Security Risk Analysis tool is helpful, she noted that it is only a tool to be used to "get started" and more assessment will be needed. She referenced yet another free government resource in the form of a video on recognized security practices, which were referenced in a 2021 HITECH Act amendment.15 Although there is no liability if a covered entity or business associate elects not to implement these practices, doing so can help protect data while also reducing penalties or the scope of audits.
Takeaways
Key takeaways from the HHS and NIST 2024 HIPAA Security Conference include the following:
- Healthcare organizations should review and refresh security risk analysis policies and processes without delay.
- A proposed rule issuing HIPAA Security Rule amendments is expected this year, but organizations should move forward with implementing currently required policies and processes and HIPAA security standards.
- Expect to see more stringent enforcement of HIPAA breaches, including for business associates.
- AI and quantum computing will have a material impact on cybersecurity policies and practices.
A recording of the conference, along with the slides, will be available to the public. The conference served as a reminder that the government is, in many cases, truly here to help.
Earlier in This Series
For more on regulatory developments at OCR, please see Holland & Knight's previous alerts in the OCR in Overdrive series.
Notes
1 The President's News Conference, Aug. 12, 1986 (visited Oct. 26, 2024).
2 The National Cybersecurity Strategy (visited Oct. 29, 2024).
3 15 U.S.C. § 45.
4 See Final Rule, Federal Trade Commission, Health Breach Notification Rule, 89 Fed. Reg. 47028 (May 30, 2024).
5 Internet of Things (IoT) Advisory Board (IoTAB) Report (visited Oct. 26, 2024).
6 NIST Privacy Framework (visited Oct. 29, 2024).
7 NIST SP 800-66 Rev. 2 (visited Oct. 26, 2024).
8 Security Risk Assessment Tool.
9 Stop Ransomware Resources.
10 Cybersecurity Framework, National Institute of Standards and Technology.
11 Incident Response, Computer Security Resource Center.
12 Cybersecurity and Privacy of Genomic Data, National Cybersecurity Center of Excellence.
13 Workforce Framework for Cybersecurity (NICE Framework).
14 Cyber Career Pathways Tool, National Initiative for Cybersecurity Careers and Studies.
15 OCR Recognized Security Practices Video.
