In July, the U.S. Department of Health and Human Services announced two funding opportunities for the creation of an Information Sharing and Analysis Organization (ISAO) to aid the healthcare industry. The funding opportunities, worth $250,000, could be renewed for up to five years, according to Elizabeth Snell, contributor at HealthITSecurity.com. These efforts seek to address increasing concerns over the growth of breaches and widespread threats to cybersecurity in healthcare.
Significant Threats on the Rise
Private health information is in high demand and cybercriminals are working tirelessly to obtain sensitive data. The number of data breaches and security incidents in the healthcare and public health sectors continues to rise—with a 35.5% increase from 2014 to 2015, according to the identity theft resource center. And the costs associated with data theft are on the rise, too. The Ponemon Institute’s Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data, published in May, 2016, revealed that in spite of a marked increase in the number of breaches, many organizations lack the money and resources to manage data breaches caused by evolving cyber threats and preventable mistakes.
As Karen DeSalvo M.D., M.P.H., M.S.c, and national coordinator for health IT stated in a public announcement, “Establishing robust threat information sharing infrastructure and capability within the Healthcare and Public Health Sector is crucial to the privacy and security of health information, which is foundational to the digital health system.” According to Ms. DeSalvo, the ISAO will provide a coordinated resource that will “…focus on sharing the most up-to-date threat information across the health and public health sectors and will better equip health systems to identify potential threats and further protect electronic health information.”
The Detrimental Costs of Data Breaches
Efforts to safeguard electronic protected health information (ePHI) and health IT are also vital to the healthcare and public health sectors from an economic standpoint. Larry Ponemon commented on the results of the IBM-sponsored “2016 Ponemon Institute Cost of a Data Breach Study” and points out that “…the average consolidated total cost of a data breach is $4 million. The study also reports that the cost incurred for each lost or stolen record containing sensitive and confidential information increased from an average of $154 to $158.
The Plan for ISAO
Using an ISAO as a clearinghouse for the most current information about cyber threats is seen as a critical first step in the battle to protect health information and health IT. “Keeping health IT up and running is critical to health system preparedness. Not only do we need to worry about natural disasters, but also increasingly we must combat—and prevent—cyber threats. Many parts of the healthcare system don’t have access to the information they need to protect themselves from these threats,” said Dr. Nicole Lurie, assistant secretary for preparedness and response. “Using an ISAO to exchange cyber threat information with these healthcare organizations, bi-directionally between HHS and the Healthcare and Public Health sector, we hope to build the capacity to better prevent, detect and respond to cyberattacks.”
According to D’Arcy Guerin Gue, writing for HIT Consultant, The “…dual grants will be awarded to an existing Information Sharing and Analysis Center (ISAC) that is already providing outreach and technical assistance to participating organizations on cybersecurity threats specific to the health care and public health sectors.”
The winning ISAC will use the monies to support expansion of the program’s outreach and education capabilities to meet the following objectives:
- Provide more and better information and education on cyber threats to health data
- Increase education outreach on cyber threats
- Help equip affected organizations with tools to take action on threats
- Facilitate information sharing across the healthcare and public health sector and federal cybersecurity partners
While critics of the initiative have expressed concern that the funding is much less than is needed to address the complexity of the problem, the consensus appears to be that something has to be done to try and protect the healthcare and public health sectors.
The HHS has expressed its hope that “…these opportunities will facilitate the sharing of cybersecurity threats identified in the Healthcare and Public Health sector with relevant stakeholders in the industry as well as federal partners, including the U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigations (FBI).”
Do you have concerns about cybersecurity? Contact our security specialists to secure your infrastructure.
Additional Resources on This Topic