Sen. Mark Warner, D-Va., speaks during an oversight hearing on Dec. 7, 2021, in Washington. (Photo by Anna Moneymaker/Getty Images)

Stakeholder groups representing tens of thousands of members and thousands of provider organizations have responded to the healthcare cybersecurity policy options from Sen. Mark Warner, D-Va., fine-tuning his strong ideas for cyber insurance, incentivization programs, and other needed resource options in hopes of much-needed congressional support.

Cybersecurity is a shared responsibility, according to comments from American Hospital Association, CHIME, and the Association for Executives in Healthcare Information Security (AEHIS). Given the sophistication of many of these attacks, defense against them “is therefore more of a national security issue than an individual private sector organization responsibility.”

“As a result, these situations should not result in organizations being subject to penalties,” AHA wrote.

Prior to the release of Warner’s report, healthcare leaders had grown frustrated with the current pace of progress and what was seen as recycling of past, effective efforts. As SC Media reported following its release, Warner’s ideas were seen as a breath of fresh air as it actually focused on the issues with arguably the greatest impact in the sector.

Warner’s latest cybersecurity push for the sector could not have come at a more opportune time. A large percentage of providers are stretched thin after the pandemic, while facing staffing challenges amid “a war being waged by cybercriminals,” according to CHIME and AEHIS.

“The time for Congress to act is now,” CHIME and AEHIS wrote. "The groups are committed to improving the sector’s posture and reducing overall risks, but stressed that they “cannot do this alone.”

The federal government must act to direct more money to regulators for cybersecurity programs, consider implementing a catastrophic cyber insurance program, and shift to an incentivization program, rather than penalty-based policies.

Current cyber insurance model needs an overhaul

One shared recommendation between these important stakeholder groups is cyber insurance coverage, or lack thereof, which has become an increasing concern for healthcare providers due to the increase in rates and standards required to even obtain a policy.

At a Healthcare Information and Management Systems Society (HIMSS) event this week, Anahi Santiago, CISO of ChristianaCare — a provider organization among the 1% of healthcare entities in the “cyber-haves” — shared her own experience with the cyber renewal process. Despite the very healthy cyber budget and complete implementation of requirements, their cyber insurance premiums increased by 43%.

“Based on what's being asked of us, I know that there's absolutely no way that the 99% other healthcare organizations can afford the investments that are being asked,” Santiago said at the time.

The critical insurance issues were created by the continued targeting of healthcare by foreign actors and should then be considered a national security threat beyond healthcare’s control, according to AHA. As such, the government should create a “reinsurance program” to help victims of high impact cyberattacks, in the same manner victims of international terrorist attacks would be supported.

For CHIME and AEHIS, the way to combat the untenable situation is by creating a federal catastrophic cyber insurance program able to offset “the extremely high costs” facing provider organizations, which can “serve as a backstop for those unable to obtain insurance on the open market.”

AHA agreed the launch of a “cyber disaster relief program” is “an inherent public health and safety interest,” as it would relieve cyber victims in healthcare both during and after an incident “through the provision of financial, technical, and human resources.”

Bill Bernard, assistant vice president of Security Strategy for Deepwatch, previously shared with SC Media another way to alleviate these problems: centering incentive programs around cybersecurity insurance, or through a reduced cost cyber insurance program for entities that are hard to insure, like those in healthcare, only if they meet required security criteria.

Any of these ideas or a combination could limit the current insurance debacle, but at a minimum, stakeholder groups stressed that the federal government should also be providing stronger oversight of private cyber insurance carriers.

Where can incentives create the most impact in healthcare?

As SC Media reported on the heels of the report, Warner’s suggestions were seen as a massive moment — particularly around an incentivization program. CHIME and others groups have long recommended the approach as a means to avoid penalizing struggling providers that put in industry-standard requirements but fell victim to a cyberattack despite those efforts.

The Safe Harbor Act issued in January 2021 created the means to incentivize provider organizations for meeting best practice cybersecurity requirements instead of massive monetary penalties. Warner’s approach is modeled after Meaningful Use, a policy that incentivized providers for adopting electronic health records and led to widespread adoption.

“A voluntary cyber incentive program is needed to help offset the investments needed by healthcare providers to improve their cyber posture and reduce patient safety and national security risks,” according to CHIME.

For AHA, the financial incentives directed to smaller entities should center on resource development for digesting cyber threat intelligence, identifying IOCs, and applying recommended technical measures, in addition to qualifying grants for providers working to adopt the technology and practices outlined in the NIST cybersecurity framework and the healthcare-specific guide known as 405d.

CHIME agreed that a grant program targeting small, medium and under-resourced providers will indeed help address immediate cybersecurity needs. The group took it a step further, suggesting that policy levers for incentivization “should be prioritized over penalty and punitive structures.”

“Congress should modify the penalty structure for healthcare providers under The Health Insurance Portability and Accountability Act who suffer a cyber incident to make it less punitive,” according to CHIME. “Healthcare providers — especially small and under-resourced ones — should not be forced to continue to shoulder the entire burden of cyber crimes.”

What’s more, “Stark and anti-kickback policies should be changed to broaden the category of what types of technology is eligible for donation and prohibit donor recipients from taking legal action against their donor in the event of a cyber incident,” they added. There’s also a need for a “cash for clunkers” program for healthcare providers and “not to device manufacturers.” 

Further, while the government looks to develop a workforce training program specific to healthcare cybersecurity and other workforce programs, “providers would also benefit from financial incentives or government-contracted cybersecurity entities to contract with third party cybersecurity service providers,” AHA wrote.

The AHA also recommended that the incentives be directed to threat information sharing organizations like Health-ISAC, given its importance to sector priorities, while CHIME believes Congress should appropriate more funding to the Department of Health and Human Services for its Cybersecurity Coordination Center, ASPR, the 405(d) program for industry support.