Article

Healthcare Sector Launches Program Advocating Coordinated Privacy and Security Partnerships

Cyberattacks and data breaches continue to escalate in both frequency and severity. The U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) reported that there has been a 93% increase in large breaches reported from 2018 to 2022, with a 278% increase in large breaches reported to OCR involving ransomware from 2018 to 2022. These statistics make clear that you cannot have privacy without security. Privacy often refers to compliance with laws, regulations, standards, and practices, and mandating and monitoring internally developed privacy policies and procedures, while security generally refers to the implementation of information safeguards and security policies by implementing administrative, technical, and physical, controls and responding to threats which may compromise the confidentiality, integrity and availability of data assets. Privacy and security must work hand in glove to protect patient data.

The Health Sector Coordinating Council (“HSCC”) Cybersecurity Working Group (“CWG”) recently released a Coordinated Privacy and Security Partnerships (“CPSP”) publication stressing the essential requirement for privacy and security collaboration across healthcare. The CWG is a government-recognized critical infrastructure industry council of more than 400 private entities partnering with the government to identify and mitigate cyber threats to health data and research, systems, manufacturing and patient care. The CWG collaboratively develops and publishes resources on healthcare cybersecurity like the CPSP publication to emphasize that cyber safety is patient safety. 

The healthcare sector is a recognized critical infrastructure with access to sensitive data across various entity functions (e.g., health plans and payers, providers, medical systems, laboratories, pharmaceuticals, medical materials, and health information technologies, public health entities, federal partners, coordinated response providers, and emergency services). The CPSP publication emphasizes the fact that everything in healthcare depends upon the safe and effective digital exchange of data across the continuum of care.  This was again driven home by the massive cyberattack this February of UnitedHealth Group, Inc.’s computer system used to transmit data between healthcare providers and payers resulting in a national shut down preventing patients from obtaining life-saving prescriptions. 

Recognizing these interdependencies so essential to the functioning of the healthcare system, the CPSP publication: (1) identifies intersections, interdependencies, and regulatory and operational distinctions between enterprise privacy and security disciplines; (2) enumerates potential challenges and corresponding risks arising from gaps and/or misalignments between privacy and security functions and priorities; (3) describes differing structural advantages and disadvantages for coordinating or integrating functions; and (4) recommends options for frameworks, practices, and measures that can assist with informing, coordinating, and integrating privacy and security compliance and operations efforts. 

Challenges

The CPSP publication notes that several factors ranging from organizational structure to conflicting priorities can lead to disconnects between privacy and security, increasing organizational risk. The challenges arising from the separation and individualization of privacy and security roles, each with their own isolated strategies, impacting an organization in unanticipated ways creating cyber risk across the entire healthcare infrastructure. Collaboration challenges fall into five overarching themes: 

1. Cross-functional alignment – how privacy and security specifically coordinate efforts toward their common goals through shared understanding of each other’s mission, goals, priorities, and areas of responsibility. 
2. Operational understanding – implies privacy and security professionals have responsibilities both to the larger entity and to each other for efficient execution of tasks and monitoring of processes. 
3. Team dynamics – refers to interactions, relationships, collaborations, trust, and support between privacy and security teams within an entity. 
4. Organizational culture – the entity’s overarching collection of values, attitudes, systems, and roles. 
5. Regulatory responsibility – the duty to comply with all applicable laws and regulations for both privacy and security. 

Best Practices

As part of the CPSP publication, the CWG offers ten best practices to address the above challenge themes including:

1. Identification of the current state (e.g., documenting current capabilities and scope of duties and any strengths, weaknesses and gaps);
2. Preparation of shared documentation and metrics (e.g., ensuring privacy policies and security policies are consistent to account for shared roles and responsibilities);
3. Providing cross-training, education, and opportunities for socialization;
4. Conducting regular tabletop exercises and mock surveys;
5. Building processes for deliberate communication and early notification (e.g., identifying situations and processes where communication between privacy and security is needed);
6. Creating a centralized policy and procedure infrastructure;
7. Implementation of Privacy & Security by Design (e.g., integrating privacy and security practices throughout an entire project/product life cycle);
8. Identification of shared executive sponsorship and support;
9. Creation of a cross functional governance structure with a shared framework; and
10. Creation of an appropriate setting and consistent opportunity to resolve differences.

Additionally, thoughtful consideration by an enterprise for privacy and security governance and reporting structures can increase operational efficiency and decrease risk. The board of directors/board of trustees should also have oversight in both privacy and security risks, requiring both privacy and security leaders to share reports, insights and opinions with the board.

Conclusion

Privacy and security should and can proactively and cohesively work together to mitigate cyber risks which in turn mitigates the risks to patient safety. Entities in the healthcare industry should pay close attention to its governance structure to ensure that its privacy and security organizations are not siloed but rather are in constant communication with each other and the entity’s leadership. Many healthcare entities have made internal strides enhancing privacy and security by design and default. The CSPS advocates taking the next logical steps to better secure patient data across the industry to maximize cyber protection.

"Healthcare Sector Launches Program Advocating Coordinated Privacy and Security Partnerships," by Sharon R. Klein and Karen H. Shin was published in Healthcare Business Today on March 6, 2024.