MROs deploy new security measures and increase cyber-liability insurance.
In response to growing concerns of Russian cyberthreats on key U.S. infrastructure, the bipartisan Healthcare Cybersecurity Act of 2022 was introduced by U.S. Senators Bill Cassidy, M.D, (R-LA) and Jacky Rosen (DG-NV) on March 23, 2022. The bill was proposed just days after President Biden warned of “evolving intelligence” suggesting that Russia is actively exploring potential cyberattacks targeting critical infrastructure such as the U.S. financial sector, energy grid, healthcare system and water treatment facilities.
Since most of America’s critical infrastructure is owned and operated by the private sector, White House officials have delivered classified briefings to more than 100 companies, urging at-risk private sector partners to bolster cybersecurity defenses against potential intrusions by Russia-linked actors. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has been actively working with organizations across critical infrastructure sectors to rapidly share information and mitigation guidance to help protect their systems and networks.
The new legislation would direct CISA to collaborate with the Department of Health and Human Services (HHS) to improve cybersecurity in the healthcare and public health sector. The establishment of CISA was required by the Cybersecurity Information Sharing Act of 2015. The proposed law does not amend the previous Act; rather, it strengthens and expands the previously mandated cybersecurity obligations of CISA and HHS to U.S. healthcare organizations.
Cyberattacks on U.S. healthcare targets have increased dramatically in recent years, leading to data breaches that have increased healthcare delivery costs and, in some instances, affected patient outcomes. According to the new legislation, more than 1,000,000 people were affected by data breaches at healthcare organizations “almost every month” in 2020.
The Healthcare Cybersecurity Act of 2022 would:
- Require CISA and HHS to collaborate, including by entering into an agreement to improve cybersecurity in the healthcare and public health sector, as defined by CISA.
- Authorize training to healthcare providers on cybersecurity risks and ways to mitigate them.
- Require CISA to conduct a detailed study on specific cybersecurity risks facing the healthcare and public health sector, including an analysis of how cybersecurity risks specifically impact healthcare assets and an evaluation of the challenges healthcare providers face in securing updated information systems, addressing vulnerabilities in medical devices and equipment, and implementing cybersecurity protocols.
- Require CISA to assess relevant cybersecurity workforce shortages and provide recommendations for how to address such shortages and issues.
In early March 2022, CISA issued a rare “Shields Up” warning for cyberattacks, stating every organization, large and small, must be prepared to respond to disruptive cyber activity. To provide quick access to resources for urgent security improvements, CISA has compiled guidance, updates and free cybersecurity services and tools from government and industry partners on its website.
CISA also maintains a catalog of vendors and products with known cybersecurity vulnerabilities, and indicates what actions to take if an organization uses one of those vendors or products.
Prior to the recent threat escalation, the healthcare industry was already racing to protect against mounting cyberthreats attributable to telemedicine, working remotely and the increased use of remote IoT monitoring devices. Accordingly, HHS recommends healthcare organizations continue to bolster their defenses on the most common threats, but to also increase security for new technologies that could be targeted by hackers.
Following are five advisories the HHS recommends for healthcare organizations to improve their defenses in 2022:
- Continue to test phishing programs and train employees on how to combat and identify phishing attacks.
- Use remote access technology such as virtual private networks or technologies using remote desktop protocols sparingly.
- Analyze how your healthcare organization can be compromised by your suppliers, vendors, business partners, customers and service providers.
- Be aware of new threats or new cyber criminals who may pose a threat to your healthcare organization.
- Utilize government resources designed to help protect healthcare organizations from cybersecurity threats.
The recovery time and costs associated with breaches of critical data not only pose significant financial burdens but also hamper the ability of healthcare institutions to provide care. Cyberattacks can result in the rescheduling of appointments and surgeries, the diversion of emergency vehicles, shutdowns to care units or even entire healthcare organizations. In worse case scenarios, cyberthreats such as ransomware can cause outages among the medical devices that keep some patients alive. Cyber breaches that disclose confidential patient information also risk the loss of consumer confidence, litigation costs and substantial penalties associated with the enforcement of state and federal privacy laws such as the Health Insurance Portability and Accountability Act (HIPAA).
Amid the expansion of remote healthcare delivery and the growing digitization of insurance transactions, clinical records and billing, cybercriminals are using increasingly sophisticated techniques, including artificial intelligence, to target U.S. health insurers. Healthcare payors and other third parties that fail to protect sensitive customer information face financial, reputational, operational and regulatory risks.
Cyber-Liability Insurance Offers Vital Protection for MROs
Assessing the challenges confronting medical review organizations (MRO), independent review organizations (IRO) and utilization review organizations (URO) amid an era of increasing liability from cyberattacks, a new resource entitled, Why Cyber-Liability Coverage is Essential for Medical Review Organizations, provides the latest developments in the cyber-liability insurance coverage market.
MROs, IROs and UROs work with personally identifiable information (PII), including patients’ protected health information (PHI). As such, the threat of data breaches impacting these highly specialized corners of the healthcare market is not a matter of “if,” but “when.” Experts attribute the recent rise in cybercrimes to a variety of factors including the COVID-19 pandemic, soaring rates of internet usage, remote work environments and, most recently, the expanding war in Ukraine. In fact, threat conditions have escalated to the point where many organizations are finding it difficult to obtain sufficient cyber-liability insurance to protect their customers.
Some analysts report a “hardening rate environment” in the cyber-liability insurance market and expect costs to continue to rise, with coverage increasingly more difficult to obtain, in the coming years. Some carriers are dropping cyber coverage altogether, which further adds to rising premium costs as the number of suppliers is reduced.
MedReview, a physician-led authority in payment integrity, utilization management and quality management services for more than 40 years, has nearly doubled its cyber-liability coverage in 2022. “Cybersecurity is the leading health technology hazard this year because it continues to demonstrate its ability to disrupt healthcare systems and cause a range of problems,” said MedReview chief technology officer (CTO) Nick Sopov.
To meet the growing threat posed by individuals and foreign actors alike, MedReview has gone above and beyond to tighten its cybersecurity defenses. In addition to meeting newly expanded HITRUST requirements, the company has doubled its investment in cyber-liability insurance and initiated a variety of measures across the organization to further protect against threats originating at home or abroad.
“Our customers entrust us with the personal health records of millions of Americans; so, as you can imagine, keeping highly sensitive information of this nature from falling into the wrong hands will always top our priority list,” said Sopov. “It’s one of our core company values.”
“It’s important to keep our employees up to speed on the latest developments because this is much more than an IT issue. Hacking incidents that target life-support systems and medical devices can lead to delays in patient care – even loss of life,” said Sopov.
For additional information about the growing threat cybercriminals pose to MROs, IROs and UROs, a new resource is available from the National Association of Independent Review Organization (NAIRO)