U.S. hospitals operate with minimal to no cybersecurity programs and face a bevy of challenges from staffing to COVID pandemic-related strains. These concerns prompted healthcare leaders to press legislators for federal incentives and new mandates for base-level cybersecurity standards.
Kate Pierce, Fortified Health Security’s senior virtual information security officer, outlined the current challenges facing healthcare at the Homeland and Governmental Affairs Committee on Thursday.
But failure to implement best practice security isn't necessarily rooted in a lack of lawmakers' understanding.
Under current regulations, healthcare delivery organizations are required to comply with the Health Insurance Portability and Accountability Act. The trouble is the Security Rule has just 42 controls, compared to the NIST Cybersecurity Framework employed by most industries — except healthcare.
And despite the minimum standards, a September 2020 CynergisTek report showed that just 76% of healthcare providers comply with the rule. These security gaps have left the industry with a heightened threat landscape, further compounded by a reliance on legacy platforms and an ever-expanding device inventory.
Awareness of the issues is at an all time high, given the daily reports of hospital outages and massive data breaches; even congressional members have been impacted.
Further, healthcare organizations were required to perform risk assessments after the implementation of the HITECH Act in 2009, Pierce explained. “So everyone is now aware of where their risks are.” But "they're choosing to accept those risks in lieu of mostly financial reasons where they can't afford or can't staff their personnel to address those risks,” she added.
“Small and rural facilities are currently devastated by the pandemic with staffing shortages. They’ve seen significant increases in cost with supply chain and technical costs skyrocketing,” said Pierce. These facilities also tend to serve lower income patients, as the Medicaid population is typically higher in rural facilities.
That means hospitals, already operating in the red, then have to wait for Medicaid reimbursement for payment, which historically lags and is lower than the average cost of care. These hospitals are facing high costs, combined with some entities running 5% to 10% below budget for their facilities.
By moving to a required security model, “I believe that those recommendations and guidance will be very helpful in moving that sector to secure their environments.” Especially as the challenges facing these entities will only worsen with the continued expansion of digital health and connected devices and cybersecurity remains a second thought.
“Cybersecurity initiatives cannot be considered in isolation,” said Pierce. “Cybersecurity should be a built-in requirement for all hospitals with minimum standards, and Medicaid should be reimbursed at cost.”
This can be through hospital subsidies, in the form of grants, by increasing reimbursement for Medicaid services, or cyber incentive programs, as cybersecurity, or lack thereof, has a direct and immediate impact on patient care.
Not another framework: Senate urged to use industry guidance
That’s not to say the government needs to start from scratch on building a framework. As SC Media has extensively reported, there’s no shortage of recommendations or guidance — and much of it is freely available.
The leading recommendation from healthcare stakeholder groups is to leverage existing guidance developed “by the sector for the sector and jointly with the Department of Health and Human Services,” Greg Garcia, executive director of cyber security for the Healthcare and Public Health Sector Coordinating Council, told the committee.
Developed by the section 405d task group, the five-volume voluntary guidance will be updated in a few weeks as Health Industry Cybersecurity Practices 2023. Garcia added that these are developed practices of “minimum security standards all health systems should be implementing.”
“There is a glut of information security best practices out there,” said Garcia. The government just needs “to pick one because there is a lot of confusion.” HSCC advocates for the HICP, as it’s “probably the best effort at a joint government industry publication offered freely accessible to all health systems.”
But once a framework is chosen, the Cybersecurity and Infrastructure Security Agency needs to “follow and push that along with” the industry, he continued.
As it stands, it’s the small, rural, and other low-resourced entities that are unable to make use of available information, explained Pierce. “It's not a priority currently because there are so many other things that are competing with it.” That, and there may or may not be the staff to put those best practices into place.
Particularly as these are just just a set of recommendations and not a requirement.
The healthcare sector also needs help ensuring there is adequate staff to execute and implement those best practices, said Dresen.
Ideally, the government would advocate or sponsor “programming to help build a cyber educated workforce,” explained Dresen. That way, there are enough qualified individuals to join these under-resourced entities to implement the best practices.
In its current state, “nearly all the staff in critical access hospitals or small facilities wear many hats,” Pierce added. “They don't specifically focus on cybersecurity.”
Some type of workforce program, previously introduced by Sen. Mark Warner, D-Va., “would be extremely useful in the context of healthcare” and give these entities the ”ability to hire people and get them implementing those best practices to support our protections,” said Dresen.
Beyond the echo chamber
The committee meeting provided insights industry stakeholders have been seeking from the government for several years. At a similar hearing in May 2022, Josh Corman, founder of the voluntary organization of security professionals I am the Cavalry, warned that “voluntary practices, where we take our time, have not proven sufficient to transcend the market failures.”
Despite warning that there simply isn’t “sufficient reach to these cyber-poor [organizations],” it wasn’t until Warner’s policy options were released in the fall that it seemed like stakeholders’ concerns were being heard. The paper mirrored Corman’s previous warning, “Congress wants action, entities must be incentivized to do so: “we need sticks and carrots.”
Christian Dameff, MD, an emergency room physician at the University of California San Diego, made similar statements in April 2022 to Congress.
Healthcare sector leaders are growing worried that federal support will continue to take time. Pierce urged the committee “to not delay any longer. “Many [hospitals] are already on the brink of closure.”
“With the competing priorities… it's very difficult to focus on something that is not required,” said Pierce. “If I had 10 things to do today, and I knew that two of them were mandated… those are the things that I'll focus on.” As the government continues to seek recommendations, leadership must make it an imperative to implement best practice standards.
But not “without supporting us in achieving those standards,” she concluded.
