The U.S. Senate Committee on Homeland Security and Governmental Affairs conducted a hearing to look at cybersecurity threats to the healthcare industry, what healthcare companies and the federal government are doing to overcome those risks, and know what the federal government must do to boost defenses against healthcare industry cyberattacks.
Committee Chairman, Gary C. Peters (D-MI) states that the persistent cyber-attacks indicate that foreign enemies and cybercriminals will not stop taking advantage of cybersecurity vulnerabilities present in critical infrastructure and most important systems. The biggest concern about these cyberattacks is that not only personal data but also patient health and safety are at risk.
Peters mentioned that the committee has recently taken essential steps to reinforce cybersecurity for critical infrastructure industries, which include the healthcare industry. For instance, it has advanced a bipartisan bill necessitating critical infrastructure companies to report to the Cybersecurity and Infrastructure Security Agency (CISA) any cyber-attacks encountered and ransomware payments made. This is to give more transparency and situational understanding for cybersecurity protection and allow CISA to alert prospective victims of cyberattacks in progress. Congress can accomplish more to make sure critical systems in the healthcare and public health industry are tough against cyber-attacks.
You can find a brief summary of the testimonies given during the hearing below.
Scott Dresden – SVP and CISO of Corewell Health
Scott Dresden discussed the particular vulnerability of the healthcare industry to cyberattacks because of the complicated healthcare business model, which frequently entails several, usually independent, entities working together to create what the patient considers a coherent care delivery process. As time passes and usually out of necessity, this model has changed making the industry more prone to cyberattacks. For instance, the fast growth of network-linked technologies to deliver telehealth at the time of the COVID-19 pandemic as well as the widened usage of Software as a Service along with cloud-based tools. These have broadened the attack surface substantially and given a lot of options for threat actors to strike a company.
Dresden stated that it is important to enforce a comprehensive data security program however there is great discrepancy throughout the industry. Although big health systems got the resources to make a good security team, it is a lot more challenging for small and medium-sized healthcare companies. Even big health systems with better security programs continue to be compromised. Dresden has requested the U.S. government to take better response to cyber threats and systematize the distribution of the actionable threat intelligence the authorities get to the healthcare industry. Doing this would allow quick, almost real-time automatic application of threat intelligence into the technologies engaging members utilize to safeguard their individual companies.
The HHS’ Office for Civil Rights has lately requested Congress to raise the penalty limits for HIPAA violations to help deal with its budget deficiency, however, Dresden doesn’t think this is a good decision. He said Congress understands and supports the legislative intention to urge the adoption of guidelines and the execution of suitable protections to protect data. However, penalizing cyberattacks victims that have inadequate defensive measures to keep up with the cleverness of hackers isn’t fair.
Greg Garcia – Executive Director of the Cyber Security Healthcare and Public Health Sector Coordinating Council
Greg Garcia offered a summary of cyber threats, vulnerabilities, and trends in data breaches. He outlined how the HPH sector and government organizations are working with each other to deal with cybersecurity and made a number of recommendations on ways the government could help the health sector’s attempts to strengthen security.
The recommendations consist of enhancing the HHS 405(d) program, which currently has a good history of partnership with the healthcare sector; setting up a Healthcare Cybersecurity Workforce Development Program to deal with the staffing difficulties; giving financial assistance for the improvement of healthcare organizations cybersecurity; and to have more funds for HHS Health Sector Cyber Coordination Center (HC3) to broaden its capability to share knowledge and analyze resources for the industry.
With finances already stretched, facing multiple class action lawsuits after a data breach could drain a healthcare organization financially. The money spent on facing the lawsuits could have been better spent on enhancing cybersecurity to stop more data breaches. Garcia recommends protecting health delivery organizations from class action lawsuits when they show they have enforced accepted security practices like the HICP or
the NIST CSF.
Garcia additionally proposed updating HIPAA to include the use of minimum requirements in HICP, NIST CSF, or other known security practices, instead of prescribing cybersecurity standards in the statute. The standards must be made together with the HSCC and regulators like (OCR, CMS, ONC, and FDA) and cross-mapped for overlap or conflict in the different regulatory regimes intersect. A holistic, cohesive cyber policy strategy is important for a healthcare setting where clinical procedures, medical devices, electronic health record technology, patient information, and IT systems are all interconnected but governed by various regulatory structures and authorities.
Kate Pierce – Senior Virtual Information Security Officer of Fortified Health Security
Kate Pierce before signing up for Fortified Health Security worked as CIO and CISO at a Vermont-based 25-bed community hospital for 21 years. She pointed out the cybersecurity holes at small rural hospitals, which encounter serious financial and workforce limitations and difficulty hiring cybersecurity talent. Although recommended cybersecurity guidelines in voluntary guidance may be followed by big healthcare companies, small, hospitals with few resources could not implement them. She suggests introducing obligatory minimum security requirements because, without that standard, cybersecurity won’t be prioritized above other important needs. She furthermore said that obligatory security requirements are essential, but small healthcare companies will need help implementing the required security steps. Pierce additionally talked about the issue rural hospitals encounter getting cyber insurance coverage, and that even though coverage may be acquired, the rates are from 35% to 75% higher compared to larger healthcare companies and there are usually a lot more exceptions. Small healthcare companies depend on cyber insurance to make sure they can bounce back from cyberattacks.
Stirling Martin – SVP & Chief Privacy and Security Officer of Epic Systems
Stirling Martin talked about the present workforce shortages and the problems healthcare companies have attracting and keeping important security talent. He stated that Epic has noticed a substantial variance in the complexity of security programs at healthcare companies throughout the country and states there is no defined standard of what security procedures are regarded as satisfactory. He additionally said there’s insufficient cybersecurity data sharing among healthcare companies and little threat intelligence from government organizations and the private sector. Martin has requested the government to help handle the present talent scarcity and recommends the federal government produce security training programs and incentivize freshly trained experts to work in the healthcare industry. He likewise recommends federal organizations like CISA or NIST create just one set of prescriptive security tactics for the healthcare sector, or have industry initiatives like HITRUST or collaboration like the Healthcare Sector Coordinating Council.