Healthcare cybersecurity should be an integral part of conversations in the country’s pandemic response, as evidenced by the spate of cyberattacks deployed against “hospital networks when they were at their most vulnerable,” said Rep. Bill Johnson, R-Ohio.
“Cybersecurity is so vitally important to not only preventing ransomware attacks on hospital networks and ensuring the safety of patients personal data, but also to our national security,” he added. “Nobody's on the frontlines with that issue more than hospitals, who are fighting cyber threats daily.”
Johnson led the cyber-focused questions during the May 11 House Energy & Commerce subcommittee on how the government can better prepare for and respond to future public health security threats, gleaned from lessons learned during the COVID-19 pandemic.
At the center of the hearing was the potential reauthorization of the Pandemic and All Hazards Preparedness Act (PAHPA), set to expire on Sept. 30. Although the 2018 version only contains one cyber provision, the pandemic confirmed that cybersecurity must be a key part of the government’s plan to reauthorize the bill, he stressed.
When PAHPA was reauthorized in 2018, “cyber was a known threat, but not truly at the top of anyone’s mind when it comes to preparedness,” said Johnson. Of course, much has changed in that time, with a serious increase in cyberattacks against the sector.
For Johnson and Erik Decker, Health Sector Coordinating Council’s Cybersecurity Working Group chair, the pandemic spotlighted the sector’s weaknesses and reliance on technology, as well as an overwhelming need for better cybersecurity measures and industry coordination.
Threat actors leveraged the pandemic to prey on hospitals, which forced providers to shift resources from “areas where they're desperately needed, away from patient care and more toward their infrastructure, their technology,” explained Johnson.
The shift cut into emergency services, “canceled life-saving procedures and ultimately, increased death rates that would have otherwise been totally avoidable. The cybercriminals are not simply stealing our data or shutting down networks. They're essentially taking American lives with them when they leave, or when they get there."
“Cybersecurity is so vitally important, to not only preventing ransomware attacks on hospital networks, and ensuring the safety of patients personal data, but also to our national security,” Johnson added. “Nobody's on the frontlines with that issue more than hospitals are fighting cyber threats daily.”
As evidenced by a report published in JAMA Open Network this week, these cyberattacks also disrupt the operations of area hospitals: with an influx in patient volumes, increased wait times, and delays in patient care. Thus, increasing care morbidity risks.
The massive shift in the threat landscape should prompt the government to consider cybersecurity within the context of all hazards, preparedness and response.
Partnerships are improving, but more help needed
Decker testified to ensure cybersecurity provisions were included in any revised formats of PAHPA.
While the public-private partnership between the health sector and the government has significantly matured in recent years, entities with fewer resources continue to lag in cyber capabilities and will require incentives and greater resources to meet the challenges of the current state of digital innovation, explained Decker.
“Cyber is very capable of turning into a kinetic problem,” he said. “Because we are so reliant on technology these days and because healthcare has become digital, when that technology is disrupted for a long period of time, the hospital systems are having a very hard time managing through that for a prolonged period of time.”
As such, the federal government must strengthen the resources of the Department of Health and Human Services, while working to bolster the partnership with the Cybersecurity and Infrastructure Security Agency. CISA offers many useful tools and services, which can only serve to bolster resilience — particularly as the government moves to mandate swift reporting.
The issue in healthcare is not an unwillingness to perform the needed tasks to move into a more proactive stance — like the incorporation of threat intelligence garnered from critical infrastructure industries — but rather a lack of resources and incentivization of providers without the means, or staff to accomplish these necessary measures.
“Since HHS is our sector Risk Manager agency, we need to leverage HHS as the front door to all federal agencies,” said Decker. “Without proper cyber foundations in place, this velocity of digital transformation could become the equivalent of driving a racecar at maximum velocity without brakes.”
HSCC’s working group is steadily developing and sharing free recommendations and guidance for the healthcare sector aimed on bolstering resilience, he explained. These resources are a “shining example of joint partnership.”
Combined with the recently updated HHS 405 D program guidance, providers have the tools and now need government help to close these gaps. Decker reaffirmed the need to, at the very least, continue the idea of incentivization. Industry stakeholders have asked for government incentives for years, and Sen. Mark Warner, D-Va., signaled the change for such a program in the fall.
Incentives or reimbursements would be crucial for some of the smaller and medium-sized organizations without “the resources to apply into cyber capabilities,” said Decker. “You could have a smaller or critical access hospital that's underwater. And the choice between a MRI machine or cyber capability tends to go towards the clinical capabilities.”
There’s also a need to continue the five-year strategic planning exercise, which works to determine what a stable condition looks like for cybersecurity in the health sector by 2029, Decker explained.
“Securing the health sector from cyberattacks might seem daunting, but I'm confident that we can meet this challenge,” concluded Decker.