Just moments before the Senate vote on a possible strike by railroad workers, Sen. Mark Warner, D-Va., sat down with former FDA Acting Director of Medical Device Cybersecurity Kevin Fu to talk about another pressing issue: getting the healthcare sector needed support on cybersecurity.
At the center of the discussion, of course, was Warner’s recent policy options on cybersecurity as a patient safety issue. As SC Media previously reported, the white paper has been heralded as a “hallelujah moment” among industry leaders who’ve long-sought the recommendations outlined by Warner and his team.
In particular, an incentive program modeled after Meaningful Use to drive cybersecurity adoption received overwhelming support.
“It’s really just a starting point on an issue that is exponentially growing in importance,” Warner said during the University of Michigan’s Archimedes Center for Health Care and Medical Device Security webcast on Thursday.
The discussion provided keen insight into where Warner sees the biggest challenges healthcare needs to overcome — and the areas where he needs more insider information.
“With every advancing technology, there is a deep, dark underbelly,” said Warner. There’s potential for foreign adversaries to take advantage of breaking into key systems to steal incredible amounts of personal information. It’s already been seen with the extraordinary number of ransomware attacks.
“The most exploitable component of our whole business operating universe at this point is really the healthcare sector,” said Warner. “If you're just a plain, old ransomware criminal, your ability to break into a healthcare system and steal that kind of personal information pays exponentially more on the black market than breaking into finance or breaking into a series of others.”
The 3 biggest healthcare cybersecurity challenges
One challenge is the sheer complexity of the makeup of federal agencies, which is “a total mishmash.” The white paper attempted an organizational chart of the many different agencies and entities that touch healthcare and its cybersecurity. As Warner put it, “it’s bureaucracy on steroids. It’s well-intentioned, but with no clear line of control or authority.”
But perhaps a greater hurdle is the serious mindset change that needs to occur “that says cybersecurity has to be baked into healthcare at the beginning,” instead of the bolted-on manner that is so commonplace in the sector.
In order for the incentives piece to work, this “has to fundamentally change,” he explained.
The final piece is the huge workforce issue. As noted in the initial release, Warner’s proposal includes ideas on how to address cybersecurity workforce shortages facing all sectors, including healthcare. It’s more than money: healthcare also needs support on training and retention.
Warner believes it will “take a mix that goes beyond traditional incentives” to address the “enormous challenge.” For example, a loan repayment or loan forgiveness for taking on cybersecurity programs or training employees, as a way for smaller rural providers or physicians groups to be recouped for recruiting efforts.”
“Within the gamut of the cybersecurity workforce, we need to recognize that not everybody's going to need a computer science degree,” said Warner. In all sectors, there must be non-traditional pathways that may even rely on less formal education.
Many educational institutions have created incentives of some sort, but there’s still a lot of progress needed. Warner is hoping the comments may provide further ideas into how to structure training, degree requirements, or other methods to incentivize people into this field.
For healthcare, recruiting new hires is particularly challenging as the salaries are often lower than other sectors. Warner is “looking for all the help” he can to generate fresh ideas on how to make improvements on these challenges.
Progress is happening, but not in short order
In short, there’s an opportunity in Congress to make real change and has already made some incremental progress after the Colonial Pipeline and the SolarWinds hacks. The bipartisan legislation that will require breached organizations to notify the Cybersecurity and Infrastructure Security Agency will go into effect in three years.
“Prior to this, and disproportionately in the healthcare field,” hospital entities would be hacked and “they wouldn't notify anyone,” explained Warner. “They didn't want to go through the public embarrassment.”
But CISA is not meant to be a regulatory agency: the hope is that the agency will be the place where victims and entities “feel like they can share this information on a regular basis.”
This progress is just a starting point for what’s to come, despite some small setbacks. Referencing the failure to pass the PATCH Act, Warner noted the proposed cybersecurity requirements for manufacturers outlined in the bill remain “on the radar screen.”
What’s more important, however, is whether they can create a “systemic structure to look at kind of overall oversight,” or whether the industry continues in its current state with voluntary measures to receive FDA approval.
The requirement to include a Software Bill of Materials with each device is also a “really important component.” When drafting these bills, they didn’t realize “there were no minimal standards for IoT devices.” Warner explained he found IoT device makers, even at the higher end, “didn't want to spend the extra couple of pennies to build that into your security.”
With “literally billions and billions of IoT devices,” Congress is aware of the need to build-in security requirements, at least make things patchable, or ban putting in code that can never be changed. The SBOM is an important item, and Warner is hoping that there will be a package in the future with some of the crucial elements of the Patch Act.
But like most healthcare providers, Warner is not sure they’ve come up with “the right answer completely yet on what to do with particularly old medical devices.” Legacy devices are a persistent and yet to be solved challenge in healthcare, with lingering questions on whose obligation it is to secure a vulnerable 10-year-old MRI with 20 years left in use.
“I don't know how we fully get that right,” he added.
Industry feedback was due to Warner’s office on Dec. 1, but the senator noted that his office extended the deadline and is still accepting comments on these key issues.