Awareness around healthcare’s longstanding cybersecurity challenges is at an all-time high, as federal efforts to secure critical infrastructure work to provide the sector with needed support and Congress looks for deeper insight into the state of cybersecurity among care partners.
There’s a lot of positive movement within the sector to improve collaboration and the overall state of the industry, said Taylor Lehmann, director of Google Cloud’s Office of the CISO. The sector is beginning to see some of the benefits of some “bright spots” in the federal arena that have been progressing for a while.
For one, the Department of Homeland Security during the pandemic put an “important emphasis on the stability of the healthcare infrastructure” as it drives investments in those areas and creates public-private partnerships, he explained. The frequency and impact of congressional testimonies are giving healthcare security leaders much needed “airtime.”
“For a long time, those conversations weren’t happening,” said Lehmann.
Earlier this month, Congress sent yet another letter to the Department of Health and Human Services requesting an urgent meeting on the state of cyberattacks against the sector and challenges to operationalize collaboration.
The letter joins countless others seeking to address health app security challenges and possible gaps in the Health Insurance Portability and Accountability Act.
The growing interest may signal changes on the horizon. But there is still much work to be done to bolster efforts between private and public partnerships. Lehmann spoke to SC Media about ongoing efforts that will benefit the sector, as well as where more needs to be done — especially when it comes to collaboration.
“The industry is listening”
At a Senate hearing in May, Josh Corman, founder of the voluntary organization of security professionals I am the Cavalry, informed Congress that the involuntary guidance currently in use in healthcare is not enough to “transcend market failures.”
The sector’s “dependence on connected technology was growing faster than our ability to secure it, in areas affecting public safety, human life and national security,” Corman said at the time.
The hearing was followed by further inquiries, a White House meeting of healthcare security stakeholders, and a growing number of federal inquiries into these challenges. For Lehmann, “it’s a sign that the industry is listening.”
“The cooperation we're seeing is unprecedented and really encouraging,” he added.
Perhaps even more positive, feedback from the industry such as the Health Sector Coordinating Council is now making its way into actual guidance produced by federal efforts, while advising how the HHS Office for Civil Rights may enforce HIPAA violations in the future.
For example, HSCC previously put together volumes of best practices known to be effective in healthcare, which influenced the Safe Harbor rule that ensures providers able to demonstrate these good faith security efforts may see more leniency after a “bad day” than another entity not following best practices.
Lastly, the FDA is also working to finalize guidance on pre-market and some post-market considerations for medical device cybersecurity, a well-known vulnerable and unsafe issue within the healthcare environment.
“As a healthcare provider, I saw it firsthand during 20 years of service, end-of-life tech still being used to treat patients,” said Lehmann. “We know it's wrong, but there isn't the enforcement or the encouragement out there to really do anything about it. With the FDA’s work, it looks like that’s going to change.”
There’s also a growing interest from consumers as they gain more access to their own health information. Lehmann notes that many patients may start to shop for healthcare “based on things like security and safety of the infrastructure that's being used to treat them.”
“I can't think of a better outcome like walking to an emergency room, looking at the equipment and saying, ‘No, I'm not gonna let that touch me, that’s unsafe,’” he said. “Every executive team and every hospital and care delivery center is going to get a notice and pick their head up and go, ‘We got to do something about this.’ It's really encouraging.”
“All of these things are underlined through partnerships in the industry, like the Health-ISAC HSCC, even internationally: organizations are working together to affect lawmaking across the globe. It's having a real impact,” Lehmann added.
Shifting to collaboration is paramount
As it stands, healthcare generally relies on a shared responsibility model. Wherein, a vendor will work to get “skin in the game” with customers by directly working with clients to better understand precisely what’s needed and deliver products and services to address those goals.
It “reduces toil” on the provider side, while letting them focus on their jobs, he explained. “No hospital, or other life sciences company is in the business of cybersecurity.” Their responsibility is care delivery and therapy, development and distribution.
However, in healthcare, this model has proven difficult because of ongoing silos. One part will do one security thing and the other will enact a separate item, “but they never show it or come together.” It’s created an untenable situation that Lehmann believes is reinforcing the need for broader change.
“For us, it's time to lean in: if you're a vendor in this space, you actually need to do more than just tell people what to do. You need to help them do it,” said Lehmann. “We’re seeing that shift.”
Mechanisms exist now that organizations can tap into that bolster threat sharing, for example, where ordinary organizations with varying degrees of security capabilities and quality levels can work to address key issues tailored to their organization. But more work is needed.
Safety is now playing a greater role, as well, particularly with medical device manufacturing and quality management systems of any sort. Lehmann said, “When integrity and availability are treated as equally important as confidentiality, then I think we're going to be getting somewhere.”
For Lehmann, it’s not that threat data isn’t being shared between organizations. The challenge is ensuring the information is “pushed down into the quality and regulatory and safety teams, and for them to then prioritize their work based on threat reduction or risk reduction coming from the security risk perspective.” Entities must better develop the handoffs within their organization.
There’s also a need for an instrument to drill down into a deeper layer when it comes to threats within the manufacturing, testing, and quality review validation. Lehmann stressed there’s a need to “bridge these two areas because security is safety.
“We need to do a better job of translating, and threat intel plays a big role in that,” he added.
However, small providers are continuing to struggle with some of these issues. Some may be wary of certain vendors, others might prefer to “stick with things they know … and aren’t up on the potential of the latest tech and approaches.” Lehmann noted that they may actually be doing things that actually don’t provide benefit.
These entities must go back and look at the traditional ways they’ve been handling security and what’s informing those security decisions. It’s clearly easier with a massive team of security engineers, but it’s certainly possible to make good choices upfront when it’s informed by freely provided resources or by joining a threat sharing group to support better security decisions.
“Strategic resourcing makes a lot of sense, managed Services make a lot of sense,” Lehmann added. “Once you're aware of what's out there, you fully understand the opportunity, then it's a cost decision… It's about letting them know what the opportunity is and how to take advantage.”