The federal government has set its sights on improving healthcare’s cybersecurity posture through collaborative partnerships. However, stakeholders are frustrated, some even angry, that their proposals appear to recycle past work rather than building on the foundation these leaders have spent their careers making.
To be clear, any government awareness on healthcare’s challenges and resource gaps is certainly a welcomed change in this space, as these leaders know that the longstanding challenges will not be solved in isolation.
Healthcare has long-asked for federal assistance, but current proposals are missing the point. Their frustrations stem from what appears to be gaps in understanding what has already come to fruition in building industry-focused resources and insights into just what makes cybersecurity so tough in this industry.
These leaders are, of course, referring to the ongoing Health Sector Coordinating Council’s efforts to create highly tailored resources for provider organizations and the 2015 Department of Health and Human Services’ Health Care Industry Cybersecurity Task Force.
The members represented a wide range of healthcare and public health entities. Published in June 2017, the culmination of their work was presented to Congress and spotlighted the evolving cyber risks to healthcare and the precise challenges faced by these entities.
What followed was a much lauded, meticulous five-volume cybersecurity resource guide, broken down by technical knowledge, entity size and specific security needs. In total, the project took about five years, explained Fortified Health Security CEO Dan L. Dodson.
So when the FBI issued an alert on the risk of legacy medical devices to healthcare infrastructure — an issue long publicized by groups like The College of Healthcare Information Management Executives (CHIME), or the Cybersecurity and Infrastructure Security Agency and NIST asked for feedback on building healthcare frameworks — it’s easy to see why industry leaders might be aggravated by the current pace and focus of government efforts.
“There's a lot of focus around risk assessments, risk frameworks, then it's another framework: Guys, frameworks, in and of themselves, do not protect you — and we need protection,” said Dodson. “All it does is tell you what you need to do to become protected. It's an important step, but it's the first step.”
“And that's where the government continues to be focused,” he continued. “We don't need help on the first step guys: most health systems do an assessment and most of them do it externally with a third party, which is best practice. We got the first step, which is what they're recycling.”
Behind the scenes, stakeholders shared similar viewpoints with SC Media on background.
That is until Sen. Mark Warner, D-Va., released policy options detailing actionable measures, like workforce development and cybersecurity incentive programs.
The paper has been deemed a “hallelujah moment,” particularly by First Health Advisory CEO Carter Groome, who has long proposed creating an incentive program modeled after Meaningful Use. MU incentivized providers to move from paper processes, which led to nearly complete adoption of electronic health record systems across the sector.
In fact, Warner surprised one of the largest stakeholder groups with the paper just before it was released to ask questions and gauge if the paper was on the right track: it was. The senator has long pushed for support in the industry, so it’s clear why this paper was so successful in its proposals.
The consensus is that Warner’s proposals are an ideal jumping-off point for making real change in a sector well-known for dragging its feet on cyber progress. As there’s a one-month comment period for stakeholders to provide feedback, SC Media spoke to sector leaders to determine just how to make the most of current government efforts — and avoid the current cyclical initiatives.
Groome, Dodson, Health-ISAC’s Chief Security Officer Errol Weiss; Bill Bernard, assistant vice president of Security Strategy for Deepwatch; and Jerry Caponera, general manager of risk quantification for ThreatConnect, weighed in on just what that would look like.
“This is a massive moment,” said Groome. “This is a big deal: A lawmaker is saying we need to do something in terms of reimbursement. … To me, this is the mechanism that could move the needle, and it's the best idea to come about in all of these conversations in the last couple of years.”
“We just need congressional support to make something happen,” he added. “Now, that could be a year, that could be three years, but at least it's there on paper. And that's a huge deal.”
The great debate: Carrot or stick?
Long-before patient safety became a buzzword for healthcare cybersecurity, Christian Dameff, MD, renowned medical device security evangelist and an emergency room physician at the University of California San Diego, spent his career advocating for federal support.
In April, Dameff warned that the systemic cybersecurity challenges in healthcare won't improve without congressional action because there is simply “no carrot,” or incentive, and small, rural and low-resourced providers can’t afford to take on those improvements without funding.
“I'm just going to be very blatantly honest here … there are no carrots,” said Dameff. “There are only disincentives, fear, and quite frankly, a huge lack of resources for those critical access hospitals to deploy these types of things.”
Consider the current state of enforcement actions. Bernard referred to the largest settlement ever handed down by the Department of Health and Human Services Office for Civil Rights for $16 million against Anthem over a lengthy, undetected breach of protected health information.
“To be candid, that’s nothing for Anthem,” he continued. They get a couple of lawyers in the room for a few days, and spend $16 million and it’s just “a small bite…The incentives are cross-wired.”
“Part of the challenge with government and healthcare is that the government is both a driver of regulation, but also a backstop,” said Caponera. What happens in healthcare compared with other sectors is vastly different. If someone in financial services or another industry gets hit due to poor security measures, “it's a totally different world.”
In fact, the company will “pay until they invest heavily to make sure that doesn't happen,” he added.
That’s the real challenge in healthcare. It’s a critical service industry and the majority of providers are operating in the red or with razor-thin margins, so the same kinds of enforcement actions seen in other industries could result in shuttered hospitals or limited services.
This has been the argument for carrots in healthcare for many years: enforcement actions have been the only course of action for “improving security posture in healthcare since the Health Insurance Portability and Accountability Act was enacted in 2009.
However, the same resource and staffing challenges have remained vastly unchanged. As such, funding should be the keen government focus and it’s “the only thing that will move the needle,” said Caponera. But it shouldn’t be blanket grants, as the posture of these organizations won’t change unless the funds are applied to the right areas.
Caponera took it a step further to indict problematic vendors. Providers should be required to do full post-mortem analyses to find the cause of a security incident or data breach, which could be shared with a reporting body able to track trends with vendors that don’t patch vulnerabilities within 30 days of discovery.
In that example, the vendor could then be “knocked down by a great level or two.” To remain a preferred vendor from then on, the cost of the products will double, or if a vendor continues to neglect key elements, the company could be placed on a list for those no longer a preferred vendor in the government space.
“We can create an incentive program that is outcome driven,” said Caponera. The trouble is that these joint government efforts tend to focus on a narrow area, or the language is vague. An incentive program along these lines will ensure all parties are being held to the same standard.
“We have to deal with the consequences of past decisions, whether it's fair or not,” he added. “The farther left in the development cycle you spend money on to reduce risk, the greater the ROI, all the way down. But the problem is, the way we procure and use everything is a point solution. Everything is a point solution.”
That’s where the government should focus: coming in and being the layer that cuts across all of these disjointed pieces.
The winning proposal: incentivization programs
In its current state, OCR is tasked with regulating healthcare, including auditing when a breach is reported, providing assistance when there’s a knowledge gap, and enforcement actions for non-compliance. But those efforts are limited by staffing challenges within the agency, which means not all breached providers are audited.
Not to mention, audit results and civil monetary penalties take years and those penalties have done very little to raise healthcare’s cybersecurity posture.
“I don't think anyone cares about the OCR enforcement penalties, to be honest — that's not in the calculus of decision making; that's not material enough,” said Dodson. “To move the needle, what we need to figure out is, how do we put some subsidies in place, considering this is critical infrastructure?”
“It's completely unacceptable in the U.S. to have a health system go down for weeks or months because of a cyber event. That’s just ridiculous,” he continued. “It’s critical to society to be able to deliver care, so we have to figure out a way to provide assistance to some of these organizations so they can put in some standards to at least recover in the event of disaster.”
There are a couple other things that healthcare can do from a regulatory perspective, “but they're not needle-movers,” said Caponera. “I don’t think there are enough carrots or sticks, to be completely fair.”
Warner suggested the creation of an incentive program that would provide hospitals with funds for implementing certain security measures. But just what would that program look like in action? Stakeholders have some strong ideas on that front.
As one of the first to propose an MU-like rule for healthcare cybersecurity, Groome was elated to see Warner make such a suggestion. His first note was to ensure there’s awareness that the “have-nots” in healthcare are not just limited to rural or small providers. There are many large health systems among those struggling with funding challenges, like CommonSpirit Health.
Health-ISAC is currently working on its official feedback for the policy options, particularly around the incentive program and efforts to get more providers on board with sharing information, explained Weiss.
Overall, any government initiative should at least have a mindful approach for those lesser resourced organizations.
For example, with ransomware, several entities, including Health-ISAC, have generated great ransomware recommendations centered on the types of firewalls and staff training. But some of these efforts overlook the capabilities of smaller entities, like a two-person office, said Weiss. Those entities should focus on awareness: what to look for in these attacks and back-ups.
For Bernard, those incentives could be centered around cybersecurity insurance. The government could offer a reduced cost cyber insurance program for entities that are hard to insure — like those in healthcare — but only if those entities meet certain security criteria.
“I'm hearing anecdotes from companies, especially healthcare companies that have been breached, talking about their premiums for insurance going up, not by percentages but by multiples, and scary sounding multiples,” all the way up to 15 times more than that they were previously paying for a policy, said Bernard.
Compare those adjustments to hurricane coverage, like the recent storms that made it to an unexpected part of Florida. Bernard noted that the state- and federal-run insurance programs have to help insure those areas because the commercial insurance industry “won't touch it.”
Bernard said he believed a similar program could be applied to the healthcare sector, where the federal or state governments could create a cybersecurity insurance program able to “insure the otherwise insurable.”
To afford the coverage, the entities would need to attest to certain measures to receive the financial benefit, broken down in a step-by-step way to ensure these measures are financially viable with provided “insurance at a rate they can afford.”
There are ample funding opportunities to provide optionality to health systems based on where they are in their cybersecurity program, explained Dodson. “The challenge in front of us is that hospital ‘A’ and hospital ‘B’ are going to be two totally different things because they either invested in different areas, or they have different sizes.”
In short, an incremental approach, simply charted in order for providers to chip away at these needed cybersecurity measures to receive reimbursement is ideal. But this is a sustained expense, which Dodson noted will mean government efforts centered on funding must create incentives for periods of time and elements of a security program.
These conversations, between stakeholders and government leaders, are important, but still a long way off from enactment. For Dodson, that means healthcare leaders must determine what they’re going to do between now and then.