COMMENTARY: For years, healthcare industry stakeholders have sought out federal support to address the cybersecurity crisis in healthcare. More than two decades ago, providers were incentivized to transition into the digital age with electronic health records, an effort led by the federal government that resulted in nearly full adoption to digital records.
But as one might expect, directly connecting such sensitive health information has led to some of the largest data breaches. Today, health care organizations have been hit by a steady stream of targeted attacks that have led to data exfiltration, extortion, breach lawsuits, privacy violations, and compliance concerns.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
In the beginning, many of these disruptions were caused by educational and awareness gaps, combined with the biggest issue: the regulation used to hold healthcare entities accountable was written well-before the healthcare sector went remote and hyper-connected.
The truth: Our systems were never designed with security in mind.
Industry stakeholder groups like the Health Sector Coordinating Council (HSCC) and the Department of Health and Human Services stood up to take on the task of getting healthcare organizations up-to-speed on the risks and likelihood of attacks, including volumes of healthcare-specific cyber measures that would take providers into the modern age and improve cyber resilience.
But, alas, adequate funding for these measures never materialized from Congress, especially for rural healthcare providers.
Sen. Mark Warner, (D-Va.), laid out exactly what healthcare organizations needed in 2022 in a policy plan lauded by the very stakeholders who’ve been banging the drum for federal support for years.
What’s needed? According to Warner, whose plan was drafted in support by members from every corner of the healthcare sector: providers need incentivized baseline measures, workforce training and staffing support, and mandated measures that go beyond HIPAA.
Before Change Healthcare, Ascension, and even Crowdstrike, industry leaders felt confident that the measures in HSCC’s five-year plan and the Cyber Performance Goals (CPGs) might come to fruition and the federal help would come.
Of course, no help will come in the foreseeable future given the inability of the Congress to agree on anything these days. So it’s probably not wise to expect federal support for leadership on the effort to secure our nation's healthcare critical infrastructure.
States lead the way
Indeed, historically in the United States, when the federal government can't or won't lead the way, states like California or New York often step into the leadership position. And it’s happened again. California led the way with consumer privacy protections with a law that mimics the stringent protections of GDPR, while New York will likely take the helm on what baseline cybersecurity measures for hospitals should look like.
New York’s proposed hospital cyber requirements include creating a new compilation of codes, rules, and regulations that would create mandated cybersecurity requirements for all hospital facilities. The proposal includes the adoption of cybersecurity programs that define protocols, procedures, and core functions, policies to consider after a risk assessment, a requirement to designate a chief information security officer (CISO) responsible for the creation, implementation, and oversight of a cybersecurity program, and requirements for testing the vulnerability of a general hospital’s cybersecurity program.
The proposal in New York would also require providers to leverage audit trails and records maintenance, as well as retention rules and even expressed requirements for incident response and third-party vendor requirements. The detailed rule mirrors many of the recommendations outlined in the HHS CPGs and the HSCC plans – which again, are not laws, just guidebooks for getting healthcare organizations into a more cyber resilient posture.
The federal government should not seek to create what’s already been built: healthcare has its frameworks, understands its mission, and overall, stands ready to do what’s necessary to mature the enterprise cyber posture. But without incentives that come equipped with staffing and training guidance, these measures will fall short.
The impact of the cybersecurity talent gap
Healthcare organizations also remain some of the most impacted by the cybersecurity professional shortages across the U.S. There are simply not enough people to work at these rural sites, nor are there incentives to do so. If a cyber leader could work at a tech company with a large swath of tools and support, or in a busy healthcare system with tens of thousands of devices, limited visibility, and constrained resources, the choice becomes clear.
Ideally, Congress would leverage a similar approach that was used to get healthcare providers to adopt digital health records. For example, tying cybersecurity upgrades to Centers for Medicare and Medicaid Services funding, much like the model used in the passing of the HITECH Act in 2009. The infusion of funds and tying incentives and later penalties to cyber adoption will support the transition of hospitals from an indefensible cyber posture to better cyber resilience.
Using state efforts like the proposal in New York as a guide, the federal government should step in to help healthcare providers struggling to protect their organizations from cyberattacks. Most likely, Congress won’t help anytime soon. However, there are resources out there that can begin chipping away at this mountainous task. Healthcare defenders need only reach out to area partners and industry leaders for help in this national fight.
Toby Gouker, chief security officer, First Health Advisory
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
