Share this article on:
On February 21, 2019, Sen. Mark Warner (D-Va) wrote to several healthcare organizations and federal agencies requesting feedback on how the U.S. government and the healthcare industry can improve cybersecurity.
Sen. Warner is concerned about the number of successful healthcare cyberattacks in recent years, the huge numbers of Americans who are impacted by the attacks, and the cost to the healthcare industry of remediating the attacks. In his letter, Sen. Warner referenced a study conducted by Accenture in 2015 that suggested cyberattacks would cost the healthcare industry more than $305 billion over the next 5 years.
Sen. Warner asked healthcare industry stakeholders several well-crafted questions inviting them to share their thoughts on steps that are currently being taken to improve cybersecurity, address vulnerabilities, and respond to attacks. He also sought suggestions on potential strategies for the U.S. government to adopt to improve cybersecurity at a national level.
Many of those contacted have responded to the request, including AdvaMed, the American Hospital Association (AHA), the American Medical Association (AMA), the College of Healthcare Information Management Executives (CHIME), the Healthcare Leadership Council (HLC), HITRUST, and the Virginia Hospital and Healthcare Association (VHHA).
Responses to Sen. Warner’s letter have been collected, amalgamated, and analyzed by the Institute for Critical Infrastructure Technology (ICIT).
ICIT identified several general themes from the responses. A common theme across all responses was the need for meaningful collaboration between public and private sector stakeholders and experts.
“Meaningful collaboration has proven one of the most under-utilized, cost-effective, and impactful strategies organizations can engage to mitigate hyper-evolving cyber threats,” wrote ICIT in its report (PDF).
Meaningful collaboration improves detection and response efforts and helps to prevent pass-through and supply chain attacks. While large healthcare organizations may have the resources to prevent, detect, and mitigate attacks, small healthcare organizations do not and are particularly vulnerable. Through collaboration, not only will smaller healthcare organizations be better protected, it will protect larger organizations against lateral movement from small partner networks.
There is a need for improved cybersecurity education and information sharing, which was highlighted by both the HLC and the AHA. The importance of ISAOs was also highlighted by AdvaMed. ISAOs provide timely cybersecurity information to allow members to be more proactive and prevent cyberattacks and data breaches.
Proactive cybersecurity was also a key theme. Healthcare organizations need to shift from reacting to incidents when they occur to being proactive and preventing data breaches. A lack of a proactive approach means patients suffer, as it is their sensitive data which will be stolen. While proactive cybersecurity naturally comes at a cost, it can be cost-effective as fines, breach remediation costs, and lawsuits can be avoided.
The AHA drew attention to the risks of attacks on legacy systems, which were developed at a time when cybersecurity was not a major consideration. The AHA stressed the importance of the FDA assisting in raising awareness of the threats to legacy systems and how to bolster cybersecurity.
The complexity of healthcare networks is a major concern, especially with the growing use of IoT devices. While many healthcare organizations have secured their servers, desktops, and laptops, management of other devices such as drug infusion pumps, embedded devices, and imaging systems needs to improve. Many healthcare organizations cannot even keep track of all the devices that connect to their networks, let along evaluate the security of each device.
“If health systems are forced to trust a conglomeration of open commercial networks to manage their endpoints, we will continue to have an issue securing our medical devices and other critical systems,” explained CHIME. “Unless we have a separate secure system, where trusted parties are vetted securely, as is done with military or other government networks, our medical devices and other end points will still be at risk.”
The complex nature of HIPAA means many resources need to be committed to compliance, yet only minimal standards for healthcare privacy and security are offered. Complying with HIPAA does not necessarily help prevent data breaches. Healthcare organizations that are HIPAA-compliant also tend to have fewer resources to commit to proactive cybersecurity.
“Instead of focusing on punishing healthcare providers who suffer cybersecurity incidents, and thereby further reducing their resources available to modernize systems or adopt layered security controls, emerging governance should incentivize organizations to learn from their mistakes and share those lessons with other stakeholders,” suggested ICIT.
HITRUST, CHIME, HLC, and the AHA all recommend the creation of a safe harbor for healthcare organizations that demonstrate they are in compliance with security regulations to give them immunity from enforcement actions following data breaches. The safe harbor would incentivize them to implement security controls that they might otherwise forgo. It would likely result in improvements to cybersecurity defenses instead of healthcare organizations opting for the minimal level of protection to ensure compliance.
Sen. Warner’s letter has started an important conversation about healthcare cybersecurity. It is hoped that the points raised and continued cross-sector and bi-partisan collaboration will help to see major improvements made to cybersecurity across the healthcare sector.