On February 21, 2019, Sen. Mark Warner (D-Va) requested feedback from a number of healthcare organizations and federal agencies on how the U.S. government and the healthcare sector can enhance cybersecurity.
Healthcare industry stakeholders were asked a number of questions regarding the steps that have already been taken to improve cybersecurity, address vulnerabilities, and respond to cyberattacks. He additionally sought recommendations on possible strategies that the U.S. government could adopt to boost cybersecurity nationwide.
Many responded to Sen. Warner’s request, such as AdvaMed, the American Medical Association (AMA), the American Hospital Association (AHA), the Healthcare Leadership Council (HLC), the College of Healthcare Information Management Executives (CHIME), the Virginia Hospital and Healthcare Association (VHHA) and HITRUST.
The Institute for Critical Infrastructure Technology (ICIT) collected and analyzed the responses and identified a number of common themes in the responses, one of which was the need to have meaningful collaboration between public and private sector experts and industry stakeholders. Cybersecurity is not something that can be effectively tackled by healthcare organizations and the government in isolation.
Meaningful collaboration enhances detection and response efforts and can help to prevent pass-through and supply chain attacks. Large healthcare companies often have the means to prevent, detect, and mitigate attacks but small healthcare companies are vulnerable as they do not have the resources to devote to cybersecurity. Through collaboration, large healthcare organizations can share their insights to help smaller companies, and by helping to prevent attacks they benefit by preventing lateral movement frm their partner networks.
The HLC and the AHA highlighted the need to improve cybersecurity awareness and information sharing. AdvaMed also highlighted the value of ISAOs. ISAOs distribute cybersecurity alerts promptly which allows members to be proactive and prevent cyberattacks and security breaches.
Proactive cybersecurity was an important theme. It is necessary to transition from a reactive approach to breaches to a proactive approach which prevents data breaches. Being proactive requires investment in cybersecurity, but it is a cost effective strategy as penalties, breach remediation expenses, and lawsuits can be avoided.
The AHA focused on the risks of cyberattacks on legacy systems. Legacy software and systems were created when cybersecurity was not yet a big concern. The AHA pointed out the importance of the FDA raising awareness of the risks to legacy systems and distributing guidance to help healthcare organizations strengthen cybersecurity for legacy systems and software.
The sophistication of healthcare networks is a key issue, particularly with the increasing use of IoT devices. Although a lot of healthcare companies have protected their servers, laptops and desktops, other devices such as drug infusion pumps, imaging systems and embedded medical devices are level relatively unprotected. Healthcare companies often struggle to identify all of the devices that connect their networks. Ensuring that each of those devices is appropriately secured is a major challenge.
The complicated nature of HIPAA means a considerable amount of resources must be devoted to compliance, yet, compliance with HIPAA standards only achieves a basic level of security. HIPAA compliance doesn’t necessarily help stop data breaches. HIPAA-compliant healthcare companies often have fewer resources to devote to improving cybersecurity and being more proactive.
ICIT suggested that healthcare organizations that experience cyberattacks should not be punished if they have achieved a certain standard of cybersecurity, instead the government should incentivize them to learn from their experience and share the lessons they have learned with other industry stakeholders.
HITRUST, CHIME, the AHA and HLC have suggested there should be a safe harbor for healthcare companies that show they are complying with the HIPAA Security Rule and that they should be given immunity from enforcement actions due to data breaches. The safe harbor would encourage greater investment in cybersecurity, rather than just reaching the minimum level of security necessary for HIPAA compliance.