Health-care organizations aren’t effectively collaborating to ward off cybercriminals, security executives concluded after a major breach simulation.

Health-care organizations and cybersecurity groups have increasingly called for private companies and federal agencies to share information with each other about cyberattacks and data breaches. However, health-care companies are often hesitant to share this information for fear of giving away trade secrets or raising the ire of regulators.

“There’s concern that by sharing information about an attack or some malicious code that regulators will respond negatively.”
—Emily Mossburg, Deloitte Advisory Cyber Risk Services

“There’s concern on behalf of the enterprise that by sharing information about an attack or some malicious code that regulators will respond negatively,” Emily Mossburg, a principal at Deloitte Advisory Cyber Risk Services, told Bloomberg BNA Dec. 4.

Deloitte, the Health Information Trust Alliance (HITRUST) and the Department of Health and Human Services Dec. 3 released results from a simulated cyberattack on 12 health plans. It was the second annual simulated attack performed by HITRUST, a cybersecurity trade group.

The group found that cyberattacks are becoming “increasingly pervasive and sustained” and open lines of communication between health-care organizations, law enforcement, regulators and business partners are essential parts of a proper breach response.

Industry has been seeking legislation that would create trade protections for sharing cybersecurity-related data.

The Senate in October passed the Cybersecurity Information Sharing Act (S. 754) and the House in April passed the Protecting Cyber Networks Act (H.R. 1560). Both would allow private corporations to share cybersecurity threat data with government agencies without running afoul of federal privacy laws 14 PVLR 1976, 11/2/15, see previous article, 209 Privacy Law Watch 209, 10/29/15.

The bills must be reconciled by Congress before going to President Barack Obama for his signature.

Improved Security.

Despite the lack of sharing of cybersecurity information among health-care organizations, there is evidence that hospital IT security has improved in recent years.

Hospital use of advanced password protection increased to 49 percent in 2014 from 35 percent in 2011, according to data released by the Office of the National Coordinator for Health IT Dec. 2.

More than ever, hospitals are implementing two-factor authentication measures, which take log-in security beyond a password and username, the data show. Two-factor authentication is most commonly a password and a security badge or token.

Improved hospital security, particularly secure log-ins for electronic health record systems, is a result of an increased fear of breaches and lower costs for implementing security measures, Dean Wiech, managing director of Tools4ever, a software security firm, told Bloomberg BNA Dec. 4.

The cost of implementing a two-factor authentication system in a hospital has dropped from $30 per user in 2010 to roughly $10 per user, Wiech said. Similarly, the cost of implementing identity management software has dropped from $70 per user in 2010 to about $10 to $20 per user, he said.

The historically high cost of the software also accounts for why larger hospitals have adopted stricter security measures, Wiech said.

According to the ONC, 63 percent of large hospitals had adopted two-factor authentication in 2014, compared to 35 percent of critical access hospitals and 40 percent of small, rural hospitals.

To contact the reporter on this story: Alex Ruoff in Washington at

To contact the editor responsible for this story: Patty Logan at