How the Change Healthcare breach can prompt real cybersecurity change

People’s lives, privacy and safety can hang in the balance when malicious criminals disrupt healthcare operations. Recently, a ransomware attack forced Change Healthcare, which maintains medical records for approximately one-third of patients in the United States, to shut down their systems and impacted pharmacies nationwide, delaying critical prescriptions. This incident is just the latest in a string of healthcare breaches affecting an alarming number of patients and giving attackers access to the most sensitive personal healthcare data. 

After the number of health data leaks hit a new record last year, healthcare providers should be leveraging all the tools available to protect themselves and their patients from malicious criminals. And with healthcare breaches on the front page every day, there may finally be momentum to take action. There is one solution that is simple but not obvious to the industry — healthcare needs more hackers.  

The hacking community is diverse and filled with ethical hackers or good faith security researchers who use their skills for good. They work with businesses and organizations to identify and address vulnerabilities and prevent cyberattacks, but some in the healthcare sector are resistant to collaboration with this community, for reasons that can be easily addressed. 

Ethical hacking for healthcare

Increasingly, security best practices, regulations and standards have recognized the value of asking hackers to help identify and report vulnerabilities to enhance an organization’s cybersecurity posture. Whether through Vulnerability Disclosure Policies (VDPs) or Bug Bounty Programs (BBPs), these programs create a process for ethical hackers to responsibly disclose vulnerabilities, increasing the likelihood for organizations to mitigate those vulnerabilities before they can be exploited. BBPs increase engagement by offering monetary rewards or other incentives to hackers who successfully identify and report in-scope vulnerabilities. 

Active identification of vulnerabilities is critical to minimize the opportunity for exploitation by malicious criminals. Both VDPs and BBPs hold the potential to mitigate the impacts of data breaches and cyberattacks that have led to the exposure of patient information, disruption of healthcare services and risk to patient safety.

Overcoming regulatory hurdles 

So… why hasn’t the healthcare community embraced ethical hacking more readily, then? 

One possible answer lies in the regulatory ambiguity around collaborating with well-intentioned ethical hackers. Until the government eliminates this ambiguity, the healthcare industry may continue to shy away from this proven method to fortify against cyberthreats and adequately protect patient data.

Specifically, the concern arises when good faith hackers uncover vulnerabilities in systems containing electronic Personal Health Information (ePHI). Current regulation fails to differentiate this positive outcome by those interested in protecting data from malicious efforts by those who wish to exploit data. While security research itself may not always implicate ePHI, the presence of such sensitive data may trigger concerns about patient confidentiality, governed by laws like the Health Insurance Portability and Accountability Act (HIPAA). Under the most conservative possible interpretation of HIPAA, if a security researcher discovers a vulnerability exposing unsecured ePHI of more than 500 individuals, the healthcare organization may need to consider it a “breach,” leading to a possible report on a government website often referred to as the “HIPAA Wall of Shame.” 

To navigate these complexities, healthcare organizations can authorize vulnerability research by entering into Business Associate Agreements (BAAs) with ethical hackers. However, BAAs come with many complex legal obligations that may deter individuals from participating solely to identify and disclose vulnerabilities. 

Collaborating with ethical hackers can help the healthcare sector prevent cyberattacks before they occur, ultimately safeguarding sensitive patient data, medical devices and health delivery infrastructure. While the benefits of ethical hacking in healthcare are clear, the regulatory landscape and concerns over patient confidentiality may create barriers. To overcome these challenges, policymakers should work to remove ambiguity from regulations and clarify that incidentally disclosing ePHI in the context of good faith security research does not constitute a breach.