The healthcare sector is still at an increased risk, so what can stakeholders do to fight off cyber threats?
In February, Senator Mark Warner, the vice chair of the Senate Intelligence Committee and co-chair of the Senate Cybersecurity Caucus, sent a letter to 12 healthcare organizations and four federal agencies asking for feedback on the security and resiliency of the healthcare industry.
Warner wrote in the letter, “I would like to work with you and other industry stakeholders to develop a short- and long-term strategy for reducing cybersecurity vulnerabilities in the healthcare sector.”
In the letter, Warner expressed concern about sensitive medical records and said that while the increase use of technology in healthcare could improve the quality of patient care, expand access to care and reduce wasteful spending, technology has also made the industry more vulnerable to attack.
Among other things, Warner asked leaders to share:
Warner also asked if the government is doing enough to reduce vulnerabilities with a national strategy and what else the government can do to improve cybersecurity efforts.
The Institute for Critical Infrastructure Technology (ICIT) identified seven public responses to the questions from AdvaMed, American Medical Association, American Hospital Association, College of Healthcare Information Management Executives, Healthcare Leadership Council, HITRUST and Virginia Hospital and Healthcare Association. ICIT published a report detailing key themes and takeaways from the organizations’ responses.
Healthcare continues to face more complex and severe cybersecurity threats.
Every healthcare organization is at risk for many threats against every exposed system. But ICIT wrote in its report that the industry can improve its cyber posture through collaboration with public and private sector stakeholders and experts. Meaningful collaboration has been one of the most under-utilized, cost-effective and impactful strategies that organizations can roll out to decrease the risk of evolving cyber threats.
Through collaboration, organizations can have stronger data protection and have more proactive deterrence options. Collaboration between stakeholders also improves detection and response efforts and prevents pass-through and supply chain attacks.
The results of the Verizon 2018 Protected Health Information Data Breach Report highlighted a lack of cyber-hygiene and cybersecurity controls.
Stakeholders must do as much as possible to mitigate threats to healthcare systems and health data.
With a lack of proactivity from stakeholders, patients feel the impacts of breaches because hospitals act after the incidents have occurred. Then, patients’ digital health and financial future are in jeopardy so hospitals can minimize cybersecurity in their budgets.
According to the Health Care Industry Cybersecurity Task Force, 85% of U.S. hospitals do not have a cybersecurity professional on staff to secure their networks and systems. There has also been no effort to secure legacy computer systems or government effort to develop programs to help smaller healthcare practices get more cybersecurity personnel.
The healthcare sector is deficient in proactive foundational security policies, procedures and technical controls that could mitigate internal and external threats.
AdvaMed responded to Warner’s questions with information on past and current efforts by the organization to improve its medical device cybersecurity. The organization supported the development of cybersecurity consensus standards.
The American Hospital Association believes cybersecurity best practices are detailed under section 405(d) of the Cybersecurity Information Sharing Act of 2015, which were developed through collaboration after months of deliberation.
HIPAA is complex, resource intensive and offers minimal standards for healthcare data privacy and security, according to stakeholders.
HIPAA-compliant health systems might have less resources to improve their cybersecurity efforts and proactively fight off and mitigate threats.
The College of Healthcare Information Management Executives said that complying with HIPAA is insufficient in preventing data breaches and that strict adherence to HIPAA could result in weakened cyber defenses.
Policies are being introduced to improve interoperability and to promote the use of health technology, but cybersecurity measures must be put into place to protect patient health data.
ICIT wrote in its report that future policy recommendations should include security requirements that exceed minimal efforts and are not punishable.
Instead of punishing providers who experience cybersecurity incidents, reducing their resources to modernize practices, ICIT suggests that emerging governance should incentivize organizations to learn from their mistakes and share their lessons with other stakeholders.
Get the best insights directly to your inbox.