If you’re a US citizen, you’re likely numb to the endless letters informing you of your information being stolen yet again. For most of us, this is an annoyance and an inconvenience. But if you’re a patient in a hospital during an attack, it would be disconcerting to know that studies indicate medical errors increase by 30% when clinical applications are offline, and there’s a “small but significant” increase in patient mortality.
Given the number of cybersecurity incidents in healthcare during the past 24 months, it’s not surprising that during that often quiet week between Christmas and New Years Day, the Office of Civil Rights within the Department of Health and Human Services issued a Notice of Proposed Rulemaking to Strengthen Cybersecurity for Electronic Protected Health Information. Published to the Federal Registry on January 6th, the order could have broad implications on the healthcare consumer, the regulator, and health organizations. And it will certainly come with a cost.
But will this proposed regulation actually reduce cybersecurity risk for the healthcare industry?
Documentation is not Prevention
Ironically, while healthcare practitioners have recognized the need to shift from merely treating illness to helping prevent it, healthcare IT is simultaneously realizing that prevention alone (a singular focus on security) isn’t sufficient. We need effective courses of treatment to bounce back from cyberattacks.
One major theme in the proposed rules is a heavy emphasis on written documentation, an asset inventory and network maps, test plans, response and restoration plans. There’s even written documentation for how all that other documentation will be updated.
The IT department is already awash in staggering amounts of data, but bereft of actionable insight. Before attempting to describe how 1,000 applications interact with each other, in sufficient detail to be technically useful while remaining readable, we should be clear how it would be used to actually make better decisions.
IT has seen previous efforts to “de-risk” IT through documentation and committee, which required time-consuming forms, planning and external approvals from a “change advisory board.” However, even with the best of intentions and rigorous application, multiple independent studies in different countries have found that the process doesn’t actually reduce outages or risk very much.
One UK study found that some Change Advisory Boards (CAB) approved more than 90% of the changes proposed—and in some cases CABs hadn’t rejected a single change in an entire year’s work. This feel like a bit of a rubber stamp; perhaps simply documenting something and involving more people in a decision doesn’t actually produce better results.
If we were to make some gentle paraphrasing of Archilochus, we could say “we don’t rise to the level of our documented ambitions, we fail to the level of our insight and automation.” With constant updates by third parties, project work, unpatched networked medical devices, and legions of non-technical users, IT environments are too dynamic to be tamed through mere documentation.
New Capabilities Can Produce Results
Better than mandating documentation would be mandating and funding new capabilities that help meet the responsibilities already outlined in HIPAA, from which documentation could be easily produced.
Take electronic personal health information (ePHI) as an example. The new rules would require covered organizations to map and know the movement of ePHI throughout their enterprise “on an ongoing basis,” and understand “all reasonably anticipated threats” to it.
This could be challenging because as CISA wrote in the 2023 Mitigation Guide for Healthcare, “you can’t secure what you can’t see." Most organizations will acknowledge that while they roughly know what sorts of data applications hold and approximately how those application stacks were intended to be configured, the ubiquitous “export to excel” button means all bets are off. Documentation won’t be able to limit or track this kind of action.
Legacy approaches to monitoring for exposed data were expensive, degraded performance of scanned systems, and rarely done at scale. Thankfully, there are now alternative methods. Rubrik, for example, has the ability to routinely and rapidly scan backup data and alert teams to locations where sensitive data is exposed—all without impacting performance in production.
In 2023, Rubrik worked with an organization to deploy Rubrik Sensitive Data Discovery and was surprised to find millions of ePHI records in a user’s home folder—the accumulated result of a decade of “exporting to excel” to create homegrown reports. Another organization found a spreadsheet with the personal data of 115,000 employees in a small test/dev environment of just 10 virtual servers where it never should have been.
In both cases, automation discovered ePHI in places it wasn’t supposed to be. This enabled timely corrective actions, reducing the risk of a data breach. This style of automation is the sort of capability that will meaningfully reduce data breaches, and can easily create the required documentation.
Another proposed requirement requires organizations to know what applications are critical to their operations, the relative priority of each application, and to have written procedures to restore the loss of critical electronic information systems and data within 72 hours.
But even better than having documentation would be the ability to non-disruptively demonstrate that you can confidently recover your critical applications, without reinfection, and exactly how long it's taken the last 10 times you did it. “Which is more likely to create the desired change; a binder detailing a recovery plan, or a proven, automated playbook that can recover the application? When it works, you can print the results as documentation that you are able to recover the applications. “Well done is better than well said.”
The proposed 72 hour timeline to recover critical applications is very aggressive, given the damage typically inflicted by a serious ransomware attack and complications of finding clean backup data that doesn’t contain the malware. However, the capabilities required to rapidly and safely recover applications after an attack exist, and typically include:
Backup and restore technologies specifically designed from the ground up to withstand concerted and prolonged attacks by an actor behind the firewall
Zero-trust architectures that assume anyone’s credentials can be compromised, even those of empowered IT administrators, and limit the damage that can be caused by a rogue actor
The ability to know what changes were made when and by whom to identity stores like Active Directory and quickly recover them to a specific point in time
Ongoing threat monitoring (also required in the proposed rules)
Accurate machine learning models that monitor for departures from behavioral baselines that would ransomware attacks in progress (Rubrik’s Threat Monitoring)
Integrated tools for identifying infected backup data in the wake of an attack (what Rubrik calls “threat hunting”), so that it isn’t unknowingly restored
The ability to rapidly quarantine infected data (both in production and backups)
Pre-built, automated playbooks to rapidly recover critical applications in the right order that can be routinely run and validated in advance of an attack
To meet aggressive recovery timelines, IT needs solutions where these capabilities are tightly integrated, and both security and infrastructure personnel must be trained in their use. To that end, Rubrik offers complementary training for both healthcare leaders and technologists to demonstrate how to plan for and conduct rapid recoveries.
Despite the headlines, some healthcare organizations are conducting fast and effective recoveries from ransomware attacks today. It’s poetic irony that the absence of headlines about their successes is a testament to them. But just as Roger Bannister’s four minute mile record was quickly replicated by others, Rubrik believes that these accomplishments can and should become the standard by which cyber-resilience is measured.
Notwithstanding the 393 pages of proposed rules we have to review, much detail remains to be ironed out. Yet there is reason to believe that just as in the past, a stake in the sand accompanied with incentives and funding can drive improvements.
I have great faith in the quality of people Rubrik works with every day across the U.S. healthcare system, and their desire to do the right thing for their patients. The new administration introduces additional levels of uncertainty regarding this ruling, and it may be a long time before we have clarity on any changes. Wherever the regulations settle, Rubrik will continue to find ways to equip our customers with the insight and automation needed to improve their cyber resilience, achieve compliance, and ensure quality care.