Sen. Mark Warner, D-Va., released a healthcare cybersecurity white paper with policy options. Aptly named “Cybersecurity is Patient Safety,” the insights make key recommendations to address systemic challenges, including the creation of a workforce development program targeting the sector and the use of incentives and requirements to improve cyber hygiene.
“The transition to better cybersecurity has been painfully slow and inadequate,” Warner wrote. “The federal government and the health sector must find a balanced approach to meet the dire threats, as partners with shared responsibilities.”
Pulled together by Warner’s staff and based on input from healthcare and cyber stakeholders, the paper is centered on the concept that the only way healthcare’s cyber posture will improve is with a collaborative focus from public and private sectors and supported by federal leadership.
The paper is Warner’s latest push for regulators to better equip provider organizations in the fight against highly targeted cyberattacks and overall resource gaps preventing widespread adoption of needed tech and other long-standing cybersecurity hurdles.
Warner breaks down these issues into three sections focused on improving federal leadership and risk posture, programs and proactive measures for cyberattack recovery, and needed incentive programs and requirements able to improve the sector’s cybersecurity capabilities.
Stakeholders support incentives rather than mandates on cybersecurity
Providers are struggling to better adapt their cyber capabilities and fully build a “robust response system in order to efficiently recover from attacks.” This can be seen with the recent — and outgoing — outages faced at multiple healthcare providers. CommonSpirit is still working to fully recover all of its hospital systems after a ransomware attack struck more than one month ago.
One way to better support provider organizations is through incentives. It’s a measure long-requested by industry stakeholders, some even suggesting a program similar to meaningful use. The program incentivized providers to shift from paper processes and adopt electronic health record (EHR) systems, which lead to nearly 100% adoption.
Warner outlined current policy considerations for possible incentives, including a program to phase out legacy systems. “Some have suggested that a model based on the 2009 Car Allowance Rebate System (CARS) or ‘cash for clunkers.’” This could “be a helpful way to phase out these insecure pieces of equipment.”
“Any incentive program should only cover equipment that meets certain minimum requirements that also include eliminating or minimizing equipment and software lifecycle gaps,” Warner wrote. This type of program could “push the industry towards developing more modular, updatable medical equipment that conforms to some minimum standards in cybersecurity.”
Indeed, stakeholders have long-warned that healthcare continues to rely on outdated technologies because they continue to function and the cost to replace would be far too great. Warner also noted that “some groups believe there should be a requirement to restrict sales of medical devices with software that is already no longer supported.”
Other incentive programs could tackle product procurement, inventory tracking of medical equipment, and other means to reduce the lifecycle gap.
The paper warns healthcare has been hit hard with the cybersecurity workforce challenges facing all industries. And “when cybersecurity teams are stretched too thin — or worse, when lacking a cyber team altogether — an organization is left especially vulnerable to cyber threats,” according to the paper.
To address these shortages in healthcare, Congress should stand up a cybersecurity workforce development program focused on the sector “tailored to prepare cybersecurity professionals to confront cyber threats that are specific to the healthcare environment.” The program would lean on community colleges and professional certification programs to create a skilled workforce.
Further, Warner again makes the case for modernizing the Health Insurance Portability and Accountability Act, which was not designed for the modern state of digital health and data challenges. Namely, HIPAA does not cover consumer-generated health data from apps.
The recommendation is to mandate “a regular process” for HIPAA that would “address a broader scope of cybersecurity threats instead of just focusing on covered entities’ responsibility to protect a patient’s personal health information,” Warner wrote. Specifically, “Congress could direct HHS to update HIPAA to expand what entities are covered and what actions are permitted.”
The paper includes a host of policy considerations and all healthcare stakeholders are encouraged to respond with important feedback and includes questions that stakeholders can comment on to inform these policies.
Warner has long-championed the need to support healthcare providers with a more agile response to cyber threats. The paper is designed to fuel conversations to flesh out the recommendations and obtain needed federal support to bring these programs to fruition.
