UCSD's Christian Dameff during the House E&C committee on July 20.

Healthcare's systemic cybersecurity challenges won't improve without congressional action as there is simply “no carrot,” or incentive, to do so. And small, rural and low-resourced providers can’t afford to make necessary improvements without it, said Christian Dameff, MD, an emergency room physician at the University of California San Diego.

During Wednesday’s CERSI-FDA Cybersecurity Seminar Series, Dameff, who’s also a well-respected hacker and security researcher, once again laid out ongoing challenges facing the majority of healthcare entities and just what’s needed to mend an unfixable problem.

“I've been naturally growing in my frustration and frankness about this exact question because there are no guarantees,” said Dameff. “I'm just going to be very blatantly honest here … there are no carrots.”

“There are only disincentives, fear, and quite frankly, a huge lack of resources for those critical access and will hospitals to do to deploy these types of things,” he added.

The event moderator Kevin Fu, PhD, FDA’s acting director of medical device cybersecurity, concurred, noting that a NIST panel in 2012 detailed the economic incentives needed for medical device security. But, “unfortunately, not too much has changed in 10 years on the economic side.”

A January 2021 modification essentially provides some incentives for providers by mandating the Department of Health and Human Services take into consideration whether entities that report a breach “adequately demonstrate” recognized security practices when they determine penalties. Providers with implemented standards may see “favorable termination” of an audit.

Stakeholders have lauded the effort as a way to ensure providers enacting the best practice security measures they can avoid stiff penalties. But there is certainly much more work to be done to tackle key challenges.

The cyber haves and have-nots of healthcare

Healthcare is among the hardest hit by the cybersecurity professional shortages across the U.S., and there are simply not enough people to work at some of these rural sites, let alone seek out jobs in these more remote places, explained Dameff.

Even without these hurdles, healthcare environments are notoriously difficult to practice in from a cybersecurity professional perspective. As previously reported, the complexity of the environment and level of acceptable risk is vastly different from other sectors, while constrained by stringent budgets and resources.

From a physician’s perspective, attracting talent to healthcare entities are burdened by competing interests and clinicians who complain about the added security measures that can impede swift access in the clinical environment. Dameff added that it’s also hard to recruit and retain talent to be effective in healthcare, and “there's just not enough money.”

In short, “there are cyber haves and there are cyber have-nots,” said Dameff. “There are organizations that have marble floors and palm trees in their waiting room, and someone serenades you with a piano while you wait to go get checked out in the emergency department.” 

“Then there are hospitals literally across the street, county hospitals that bleed money every single year and don't have two nickels to rub together,” he continued. It’s “just an impossible calculus” to expect lower-resourced providers to make that hard decision between investing in cybersecurity, at the expense of launching a new clinic to take care of 100 or 150 diabetics.

The only thing that will move the needle on this, to bring these providers up to a strong cybersecurity posture, is for Congress to take action “to reinvigorate with legislation to fund hospitals that don't have money to invest in cybersecurity.”

An ideal model would be to tie cybersecurity to The Centers for Medicare & Medicaid Services funding, much like the model used in the passing of the HITECH Act in 2009. Dameff explained that the legislation catalyzed the change from paper records to electronic health records. The result of that effort resulted in the overwhelming adoption of EHRs.

Infusing money and “tying incentives — and eventual disincentives” — will support the transition of hospitals from a “nearly indefensible, cybersecurity posture to some defensible position,” as they’ll be able to employ the mitigations needed to secure the healthcare ecosystem, he added. 

For example, multi-factor authentication and intrusion detection systems can provide a strong security foundation in healthcare, but it’s currently underutilized, as many hospitals aren’t going to make those internal investments because they don't have the money.

“There are unfortunately, no carrots right now for them,” said Dameff. “I'm a big fan of salad. Let's give them some carrots.”

Proposals provide some hope for healthcare cybersecurity

As it stands, there are a number of active legislative proposals that aim to chip away at some of these major challenges.

The FDA’s Office of Strategic Partnerships & Technology Director Suzanne Schwartz recently spoke directly to stakeholders who’ve expressed concern that it would take patient harm for federal action, affirming that the agency is actively working behind the scenes with industry leaders to address concerns.

Two recent legislative proposals would both stand up a commission to assess what’s needed to strengthen cybersecurity standards for patient data and detailed highly specific requirements for medical device manufacturers.

And while Dameff was honest in his recent realization “this is going to be a significant problem for some years to come,” these proposals and federal assertions on ongoing work give reason to hope that the healthcare sector will begin to receive some relief in the nearer future.

In particular, the bill requiring the efficient reporting of incidents that could build in transparency and provide “a lot more visibility into just how extensive this problem, as it’s significantly underreported,” he explained.

“Then maybe we'll be able to use some of that information to inform future policy decisions, as well as some type of response and resources for hospitals in the immediate term,” said Dameff. There’s also hope that it could “destigmatize this entire thing.”

“Many hospitals don't want to talk about healthcare cyberattacks, or are afraid of litigation or brand embarrassment, and secretly pay a ransom, chalk it up to some type of technical disruption,” he continued. In reality, “we need to be talking about getting them resources quickly, resolving this issue, protecting them for the next time, while trying to avoid paying a ransom.”