White Paper Outlines Potential Policy Changes to Address Healthcare Cybersecurity
Data breaches are being reported by healthcare organizations at a rate of around two per day when just four years ago they were being reported at half that rate. In 2021, 45 million people were affected by attacks on the healthcare industry, which is a 32% increase from the previous year. Many of these attacks involve the use of malware or ransomware, which can either prevent access to systems through encryption or force those systems to be taken offline.
In addition to the healthcare industry being an attractive target due to the value of patient data, cybersecurity in healthcare is poor compared to other sectors. Vulnerabilities remain unaddressed, and many healthcare organizations fail to follow industry best practices for security. Something needs to change
Progress is being made at improving cybersecurity in healthcare, but according to Senator Mark Warner (D-VA), “The transition to better cybersecurity has been painfully slow and inadequate.” Warner says cybersecurity in healthcare is a second-tier issue, and that needs to change because cyberattacks – and ransomware attacks in particular – threaten patient safety. These attacks threaten the ability of healthcare organizations to operate, access to patient records is prevented, diagnostics and testing is delayed, appointments are canceled, and ambulances are diverted. These disruptions affect patient outcomes and can potentially threaten lives.
Potential Policy Changes to Improve Healthcare Cybersecurity
Currently, Medicare imposes standards on participating practices to deal with natural disasters such as requiring measures to be implemented to prevent the spread of hospital-acquired infections and emergency power sources are required to ensure that care can continue to be provided in the event of hurricanes and earthquakes. Warner believes that cybersecurity should be treated with equal importance, and Medicare should demand participating healthcare providers achieve a minimum level of cybersecurity and follow standard cyber hygiene practices.
That was one of several recommendations for potential policy changes that were proposed by the Office of Sen Warner in a recently released white paper – Cybersecurity is Patient Safety – Policy Options in the Health Care Sector. It cannot be left to individual healthcare organizations to make the necessary changes to improve cybersecurity across the industry. What is required is a joint effort by the public and private sectors, led by the federal government.
Currently, many government agencies have responsibility for certain aspects of cybersecurity and even within the Department of Health and Human Services there are multiple agencies, each with responsibility for certain aspects of cybersecurity, yet there is a lack of clearly defined roles and no overall leader at the HHS who is responsible for reporting to the Secretary of the HHS and is accountable for cybersecurity across the HHS as a whole. According to the white paper, that role needs to be created, and that person would be tasked with effectively partnering with other agencies to further cybersecurity goals and advocate for the HHS to be given the resources it needs to succeed.
The National Institute of Standards and Technology (NIST) has been issuing valuable guidance on cybersecurity and has developed the NIST Cybersecurity Framework, which can be followed to improve cybersecurity; however, as useful as the Framework is, there is a lack of healthcare-specific guidance. Healthcare organizations need more assistance with cybersecurity, which the white paper suggests could be tackled as a Framework Profile, as has been created for manufacturing and election infrastructure.
HIPAA Updates Could Help to Address Healthcare Cybersecurity Gaps
The HIPAA Security Rule was enacted to ensure minimum standards for security were implemented to ensure the confidentiality, integrity, and availability of protected health information, but it has been 18 years since compliance became mandatory and a lot has changed in that time. The HIPAA Security Rule currently fails to fully address safeguards to protect against current and emerging threats, and a great deal of healthcare data is not covered by HIPAA, as it is collected through software applications and consumer devices. The white paper suggests modernization of HIPAA is required to address a broader scope of cybersecurity threats and there is a need to expand the entities that are covered by HIPAA.
Recruiting cybersecurity professionals in healthcare is a major challenge due to the global shortage of skilled cybersecurity professionals. This could be tackled by implementing a workforce development program focused on healthcare cybersecurity to help develop a skilled workforce. The government should consider a student loan forgiveness program to encourage newly qualified cybersecurity professionals to take on positions in rural areas, similar to the National Health Service Corps (NHSC) Loan Repayment Program (LRP).
Incentives Required to Encourage Improvements in Cybersecurity
It is often only when a cyberattack or data breach occurs that healthcare organizations take steps to improve security, for example, many healthcare providers only implement multifactor authentication after they have experienced a phishing-related data breach. The white paper suggests improvements can be made to cybersecurity across the industry through a combination of incentives and requirements. In addition to the suggested requirements for Medicare, healthcare organizations should be incentivized to implement cybersecurity best practices. Insecure legacy systems could be addressed through an incentive program similar to the 2009 Car Allowance Rebate System (CARS), commonly referred to as the “cash for clunkers” program. Such a program could help push the industry into replacing legacy systems that are a security risk, or alternatively, providers of medical devices could be required to better align patching and servicing with the life cycle of large medical equipment.
As the recent Log4Shell demonstrated, a huge range of devices can be vulnerable through their software components, but many organizations were unaware that they were using products that contained the affected Log4J Java-based logging utility. The white paper suggests Congress should mandate the publication of a Software Bill of Materials (SBOM) for all software and devices used by the healthcare industry, to ensure that products with vulnerabilities can be rapidly secured.
Preparedness for Cyberattacks Needs to Improve
Even with improvements to cybersecurity, some cyberattacks will still be successful. In the event of a successful attack, preparedness is the key to a fast recovery and limiting the potential for an attack to threaten patient safety. The white paper suggests specific emergency preparedness procedures should be developed, potentially also mandating training for healthcare staff on the use of analog equipment and legacy systems, to prepare for a catastrophic failure to connected systems.
In the event of an attack, recovery can be costly. Currently, there are programs that provide assistance in the event of a natural disaster. The white paper suggests a similar disaster relief program should be created to help healthcare organizations recover from cyberattacks, and for Congress to consider a safe harbor or immunity for organizations that have implemented reasonable cybersecurity measures. The HHS’ Office for Civil Rights is now considering the Recognized Security Practices (RSPs) implemented by healthcare organizations, but this is not a safe harbor. Implementing RSPs will not prevent financial penalties.
Sen. Warner said his office is sharing the white paper and suggested policy changes to solicit feedback, comments, and further ideas on how cybersecurity can be improved.
“Any individuals, researchers, businesses, organizations, or advocacy groups that are interested in submitting comments – specific to the content and questions outlined in this document or additional ideas or language for inclusion in eventual legislation – should send a letter or an email to cyber@warner.senate.gov.”