A recent National Committee on Vital Health Statistics Subcommittee on Privacy, Confidentiality, and Security (NCVHS) meeting revived a longstanding debate in the health care sector: Could incentivizing providers enable entities to move the needle on overall cybersecurity?
On July 14, Erik Decker, Intermountain Healthcare chief information security officer, presented a number of ideas that could address cybersecurity challenges in the health care sector on behalf of the Health Sector Coordinating Council.
Along with incentivization, the HSCC proposed enacting a 100-day plan, similar in design to the recent Biden administration effort for the U.S. electric grid, announced in April.
The plan centers around a partnership between the Department of Energy and Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA), which would coordinate with the electric utility industry to improve overall industrial control system cybersecurity for the utility sector and incorporate sector feedback.
The health care sector could benefit from a similar 100-day plan, which HSCC explained would require industry feedback on what’s needed to inform them of future recommendations on supply chain security.
For HSCC, these efforts are critical to addressing the sector’s ongoing cybersecurity challenges, which have been met with an ongoing onslaught of targeted attacks, ransomware, data extortion efforts and other cyber threats. Data show at least 48 U.S. health care providers experienced a ransomware attack so far this year, with a majority of ransomware tied to data theft and exposure.
“Cybersecurity threats are not only a threat to national security, they are a threat to patient safety, as attacks can cause denial-of-service, medical device corruption and data manipulation that directly impacts clinical operations, patient care, and public health,” Decker explained.
HSCC identified four key areas in need of immediate attention: understanding the new threat landscape, continued incentivization for health care providers working to bolster cyber defenses, organizing the sector’s response, and additional policy recommendations.
The crux of these focus areas rely on incentivizing providers, rather than penalizing health care entities victimized by cybercriminals despite proactive security measures. The idea is not new, as many health care stakeholders have supported similar efforts in the past.
The Health Insurance Portability and Accountability Act Safe Harbor was signed into law on Jan. 5, 2021, which amends the Health Information Technology for Economic and Clinical Health Act to require the Department of Health and Human Services to incentivize best practice cybersecurity for meeting HIPAA requirements.
When it was first proposed, HITRUST and other industry groups lauded the bill as a step in the right direction and a way to rebalance current methods of penalizing providers after a security event. Instead, HHS would be required to take into account the entity’s use of recognized security best practices when making a determination of penalties after a data breach.
For HSCC, the provision “serves as a positive incentive for health providers to increase investment in cybersecurity for the benefit of regulatory compliance and, ultimately, patient safety.”
However, HHS has not yet put these measures into place: the agency published a request for information prior to publishing the proposed rule, which HSCC is concerned will inevitably slow the process and “add another layer of bureaucracy” that the health care sector truly can’t afford as threat actors continue with their onslaught of attacks.
HSCC called on NCVHS to request HHS move directly to the proposed implementation of the law to move the needle on incentivization efforts, while advocating for policies that incentivize or reimburse health care providers with strong cyber hygiene “rather than punitive approaches that penalize them.”
The recommendations align with another HSCC proposal: the health care sector needs to share threat information with the Department of Homeland Security Cybersecurity and Infrastructure Security Agency. However, in the midst of cyberattacks, most health care victims work with law enforcement that can limit further threat sharing.
To overcome some of these hurdles, HSCC recommends law enforcement “serve as the funnel to CISA” in as near to real-time as possible. In doing so, the government can better determine how to secure critical infrastructure.
NCVHS should launch an initiative to:
- Enable and improve bi-directional information sharing between health care and law enforcement
- Aggregate information sharing from law enforcement to all critical infrastructure Information Sharing Analysis Centers (ISACs)
- Further educate critical infrastructure entities on legal protections for sharing this type of information with the federal government
- Educate entities on permissible threat sharing
The HSCC recommendations further expand on previous stakeholder commentary on just what’s needed to bolster health care cybersecurity. However, it begs the critical question: how feasible are these recommendations within the regulatory environment of health care?
With requirements, incentives may work for some providers
As providers continue to fall victim to threats at a constant, steady rate, the sector should see the ongoing threats as a call to action, explained Dan L. Dodson, Fortified Health Security CEO. The 100-day plan proposal could go a long way in ramping up the sector’s urgency for action, long overdue when patient safety is a risk and many organizations need financial support to improve their overall cyber posture.
However, incentives may not be effective for all providers.
“In the classic bell curve of the technology adoption lifecycle, the ‘late majority’ and ‘laggards’ are the two segments that are the last to adopt new technologies,” said Dodson. “That is exactly where we are with cybersecurity program adoption in health care.”
“Unfortunately, the incentives that worked to galvanize the early adopters of health care technology, as well as the reduction of penalties by the Office for Civil Rights or those with strong cyber infrastructures in place, does not work for this segment,” he continued.
For this segment of health care, the government will need to change its tactics while not punishing or alienating those that joined the process in the early days. Dodson stressed that addressing these issues and understanding the challenges faced for these particular providers will be crucial to getting these particular stakeholders on board.
Dirk Schrader, global vice president of marketing for NNT, part of Netwrix, shared similar concerns about incentives: specifically, the idea of arguing for incentives based on self-regulated standards while requesting fewer penalties.
Calling it a “figleaf of modern security strategies and widely agreed practices,” incentives will enable providers to do just enough to meet those standards, rather than truly bolstering overall cybersecurity, Schrader argued.
But the argument in favor of incentives centers around supporting resource-strapped entities in need of better cybersecurity measures that may not have the tools or understanding to make those much-needed improvements.
For Gavin Smith, PC Matic spokesman and former HHS deputy communications director, those incentives must only be given to providers for investments in preventative cybersecurity solutions, as “all too often, funds acquired through incentives are allocated and spent on solutions that fail to protect users and networks from cyber threats in the first place.”
“Allocating funds without stating an exact purpose – preventative solutions – is only exacerbating the problem we face in respect to cybersecurity,” he added.
HHS should prioritize incentives for strong digital safeguards, including greater access to funding and reimbursements dedicated to cybersecurity, particularly as many providers are currently under-resourced in comparison to the rate of cybersecurity risks, explained Harley Geiger, senior director of public policy at Rapid7.
The agency should continue to consider mandatory, risk-based security standards to accompany that funding, which Geiger stressed should come from direct consultation with cybersecurity experts in both the private and public sectors.
“These standards should include provider systems and equipment, not focusing just on protected health information, added Geiger. “The [HSCC] ‘Health Industry Cybersecurity Practices' are a good place to start.”
“The reduction in penalties for HIPAA-covered entities with strong cybersecurity practices (via H.R.7898) and a proposed administration-led 100 day sprint are well-intended but will vary greatly in impact depending on the circumstances of the health care provider,” he added.
Jeff Reichard, senior director of enterprise strategy at Veeam, echoed the need for decreasing fines or penalties for security incidents when the provider can fully demonstrate adherence to a recognized framework, like the NIST Cyber Security Framework (CSF).
As it stands, resource-constrained providers often view cybersecurity investments as “non-revenue-generating black holes.” Reichard explained that if the government response instead shifts from the stick method to “part carrot and part stick,” it could support the drive for better security practices in the health care sector as a whole.
Some states are already pursuing this avenue, such as the recently enacted Cybersecurity Standards Act in Connecticut, which Reichard explained provides a safe harbor against penalties for businesses that can demonstrate their enterprise follows a recognized security framework. The law specifically names the NIST CSF.
Reichard stressed that industry standards, such as those outlined in the HSCC guidance, can support providers with clear advice on pressing security matters. Providers also need to continue or even join threat sharing and security groups to demonstrate needed leadership and “stay involved in driving better security practices.”
At the end of the day, patient safety depends on cybersecurity used by the medical provider, Geiger explained. And the true metric for increasing the resilience of health care cybersecurity will ultimately stem from “the broad adoption of effective cybersecurity safeguards and processes.”
“It is clear to me that having an incentivization mechanism for improving cyber-hygiene will advance security maturity across health care in time,” said Saif Abed, M.D., founding partner and director of cybersecurity advisory services for the AbedGraham Group. “At the very least, it makes the business case security leaders make in the health care organization C-suite more powerful.”
“I also support the notion of a 100-day plan for health care cybersecurity. Key to this is, of course, open collaboration between law enforcement agencies, intelligence agencies and industry with federal health care agencies and delivery organizations,” he added.
The plan could also serve as a foundation for a greater global collaboration with cybersecurity partners in the U.K. and Europe, which are dealing with similar challenges.