3 good reasons why health leaders should adopt HICP
2022 is here, and cyberattacks are not letting up. So, as a leader, you have two options: believe that the hackers won’t attack you or to prepare. I’ll choose the latter, and I want to share my thoughts on why adopting HICP is a good idea to get prepared.
The truth is, for profit-oriented hackers, healthcare organizations of all sizes are worth a shot. The recent popularity of bitcoin makes it more accessible for the public to send ransomware payments to them. The potential ROI is just too hard for them to resist.
Whether your organization is small or large, you are a target. A survey (October 2021) done by Association for Executives in Healthcare Information Security (AEHIS) found that 67% of respondents had a security incident in the last 12 months. So with this data, what can we do to avoid having a security incident in 2022?
Fortunately, more than 150 healthcare leaders have produced Health Industry Cybersecurity Practices (HICP). These documents are reliable because it has gone through a peer-review process, vetted by credible healthcare leaders in this country. As the name suggests, this is healthcare-specific, so it is relevant and up to date. It also makes appropriate recommendations based on the organization’s size.
In short, HICP provides an excellent base to build your cybersecurity practices.
Adopting HICP also provides three benefits:
1. HICP prevents care disruption and protects patient safety
The Hippocratic citation “First, do no harm” should include cybersecurity in this day and age.
The harm comes from the interconnected systems used to deliver care. I refer to systems like the EHR, practice management systems, revenue cycle management systems, and ERP. Unfortunately, in the case of ransomware, these critical systems were not available and disrupted clinical and administrative workflow.
We learned from a past incident that a health facility had to use paper-based processes for a few months when they were trying to recover. It was a stressful time for everybody involved. Besides delayed patient care, it also strained nearby facilities as they needed to transfer the patients. Therefore, when considering the impact of an attack, it is not sufficient to look internally. An attack experienced by one facility will affect other health facilities in the area.
As care delivery relies more and more on technology, health leaders would benefit from adopting HICP to protect these critical systems as patient safety is dependent on it.
2. HICP helps with cyber insurance coverage
Cyber insurance policy is getting harder and more costly to get.
In October 2021, The National Association Of Insurance Commissioners (NAIC) staff produced a on the cybersecurity insurance market to the Property and Casualty Insurance © Committee. In this report, the loss ratio for the top 20 groups averaged at 66.9% in 2020 (an increase from 44.6% in 2019). With attacks reported in 2021, this number is expected to increase further. As a result, they feel the pressure and make the necessary adjustments to make their business more sustainable.
This data aligns with the AEHIS survey, which mentioned that over 80% of survey respondents said their premium increased last year. In addition, underwriters are now adding prerequisites. For example, they might ask for proof of multi-factor authentication, privilege access management, and network segmentation. These requirements are challenging to meet overnight. However, health systems may not get adequate coverage without these controls.
As you read through the HICP documents, you will find that these requirements are also covered. From email protection systems to cybersecurity policies, you will realize that it covers more grounds than the insurers asked. By adopting and documenting your HICP practices, your organization is better prepared to get coverage.
3. HICP provides incentives when a breach is to occur
A breach is still possible despite the best prevention measures. However, there are two different possible outcomes of an investigation: favorable and not favorable. The final outcome depends on the status of HICP adoption and how long you have been practicing it.
Public law 116–321, passed on January 5th, 2021, addresses this topic. It says that the Secretary shall consider whether the covered entity or business associate has demonstrated HICP for 12 months. If they had, it may either mitigate fines, early and favorable termination of an audit or mitigate the remedies. These are compelling incentives.
Having HICP in place for 12 months signals that a covered entity or business associates have exercised reasonable and appropriate measures to prevent a breach. The law provides incentives and encourages HICP adoption among the healthcare community.
As we enter 2022 and prepare for cyberattacks, let’s consider HICP adoption as by doing so, we are:
- protecting patient safety
- preparing our organization to become insurable
- getting incentives when a breach happened
The next question is how.
I will share my journey in implementing HICP, my thoughts, and my challenges in the upcoming post.
Originally published at https://healthcyberlab.org on January 4, 2022.