Share this article on:
The American Hospital Association (AHA) has urged congress to provide law enforcement agencies with appropriate resources to help with the prevention of healthcare industry cyberattacks and assist with investigations into attacks.
The AHA provided a statement for an AHA House Energy and Commerce Subcommittee on Oversight and Investigations hearing on public-private partnerships for healthcare cybersecurity. In the statement the AHA praising the efforts made by hospitals and health systems to improve data security and prevent cyberattacks.
The AHA explained that the vast majority of hospitals and health systems take the current cybersecurity challenges very seriously and have responded by investing heavily in cybersecurity protections to prevent cybercriminals from gaining access to networks and sensitive data.
The AHA said those efforts include the use of encryption to prevent the theft of PHI, making and testing data backups, conducting annual threat assessments and identifying potential vulnerabilities with extensive penetration testing. Hospitals and health systems are also increasingly conducting tabletop exercises and simulations to assess their disaster recovery and breach response plans.
A recent survey conducted on AHA members confirmed that 80% of hospitals have now implemented intrusion detection systems. 80% of hospitals also now use encryption on their wireless networks, removable media, and mobile devices. More than 90% of hospitals ensure pass codes are required to access mobile devices and have implemented policies that require the use of strong passwords. 90% of hospitals also conduct annual risk analyses and infrastructure security assessments.
However, even with these precautions, healthcare cyberattacks are inevitable and occasionally they will succeed. The AHA explains that collaboration is needed to tackle the threat. Many hospitals and health systems are now participating in threat intelligence sharing on a national level, via private sector programs such as those run by the Healthcare and Public Health Information Sharing and Analysis Center (NH-ISAC) and Health Information Trust Alliance (HITRUST).
The AHA explained that those information sharing programs have been effective and should receive continued support to ensure they can develop and provide actionable information and tools to assist the healthcare industry prevent cyberattacks. However, further work is required in this area.
Healthcare organizations need to be provided with more actionable information on the latest cybersecurity threats. They need to be advised of the steps they need to take to secure their networks against new threats. At present, healthcare organizations are being given large volumes of generalized information, which can be difficult to interpret. Without tailored cyber threat information, it is very easy for healthcare organizations to get distracted and suffer information overload.
The AHA also points out that the healthcare industry is heavily regulated and healthcare organizations are required to comply with the HIPAA Security Rule. The HIPAA Security Rule requires covered entities to implement a range of measures to safeguard protected health information.
The AHA says that even when healthcare organizations implement best practices and comply with HIPAA Rules, cyberattacks may still occur. However, it was pointed out that data breaches and cyberattacks do not necessarily mean that HIPAA Rules have been violated. Healthcare organizations should therefore receive appropriate assistance and should not be blamed when attacks succeed and neither should they be presumed to be at fault.
Help should be provided with the investigation of breaches and any lessons that are learned should be shared with other healthcare organizations to prevent others from falling victim to similar attacks. The AHA says the victims of these attacks should be given appropriate support and resources, while the attackers should be identified and prosecuted.
The AHA says Congress should also ensure that law enforcement and other agencies get the resources they need to help prevent healthcare cyberattacks and to thoroughly investigate attacks when they do occur.