Congress Advised to Offer Incentives to Improve Healthcare Threat Intelligence Sharing

With the healthcare industry under a sustained attack and the cyber threat landscape constantly evolving, law enforcement, the government, and private industry need to collaborate to counter the threat of cyberattacks. Cybercrime cannot be effectively tackled by organizations acting in isolation.

The sharing of threat information is essential in the fight against cybercrime. Dissemination of this information makes it easier for law enforcement and government agencies to combat cybercrime. Accessing that information also allows healthcare entities to to take timely action to address vulnerabilities before they are exploited.

Government and law enforcement agencies are educating healthcare organizations on the importance of sharing threat intelligence, although currently too few entities are sharing threat information.

At a Congressional Energy and Commerce Committee hearing this week, cybersecurity experts made suggestions on how congress can improve threat information sharing and improve healthcare cybersecurity.

At the hearing, Denise Anderson, president of the National Health Information Sharing and Analysis Center (NH-ISAC), explained that failing to take action to combat cybersecurity threats is putting patient safety at risk. In some cases, this could be a life or death matter for affected patients.

Ransomware can prevent patients’ health records from being accessed by healthcare providers; however, Anderson explained that data manipulation could be an even bigger problem. If cybercriminals were to change medical records, they could then demand a ransom from the healthcare provider to divulge which records had been changed. Data manipulation could result in patients being incorrectly diagnosed or provided with the wrong medications. That could have fatal consequences.

The healthcare industry has many small to medium-sized healthcare organizations that lack the capital and resources to deal with cybersecurity issues. They cannot keep up with the practices that are required to keep patients’ data secured. Many are faced with a choice – purchase essential medical equipment or a new cybersecurity tool. There is little incentive to choose the latter.

Cybersecurity Incidents Often Go Unreported

The number of cybersecurity threats has increased significantly in recent years, as has the number of reported healthcare data breaches, yet those reported breaches are just a fraction of the security incidents that are now plaguing the healthcare industry. Many cybersecurity threats and security incidents go unreported.

Evidence gathered from normal security monitoring suggests there are far more breaches occurring than current data breach reports suggest. Terry Rice, vice president of IT risk management and chief information security officer at Merc, suggested that while laws are in place that require healthcare organizations to report security incidents, current disclosure laws have limited requirements for reporting incidents and many organizations are not submitting or delaying incident reports.

Threat Information Sharing is Critical

While it is important for further efforts to be made to educate the healthcare industry on the importance of sharing threat information, education alone is unlikely to solve the problem. Sharing threat information carries a cost that many small healthcare providers simply cannot afford.

Anderson suggests that while there are clear benefits to participating in information sharing efforts, threat intelligence sharing should not be mandatory. Healthcare organizations should be given a choice. However, healthcare organizations can be encouraged to share information if they are offered financial incentives for doing so.

She also suggested ISACs should be offered tax breaks, that information shared through ISACs should be protected, and that organizations that share threat intelligence should be provided with better legal protections.

Congress was also advised to create permanent cybersecurity liaisons and leaders. Those individuals should be experienced cybersecurity professionals that are aware of the threats, vulnerabilities and cybersecurity issues faced by the healthcare industry.

Michael McNeil, global product security and services officer for Royal Phillips pointed out that cyberattacks on medical devices pose a serious threat to patients and potentially place patients’ lives at risk.

He suggested medical device manufacturers should be included in conversations about cybersecurity and should ensure security is considered at every stage of the manufacturing process. Device manufacturers must also address cybersecurity issues at every stage of the product lifecycle, not just until their devices come to market.

Device manufacturers also need to collaborate and agree to a set of standards that can be adopted to improve cybersecurity. There should be regulatory requirements covering cybersecurity for device manufacturers.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.