When it comes to mitigating cyberattacks in the healthcare industry, organizations are stressing that cross-sector and bi-partisan collaboration, between healthcare, technology and information security leaders, is key.
The reinvigorated calls were spurred by Senator Mark Warner (D-VA), who in February, solicited a dozen healthcare entities and asked what they’re doing to help prevent cyberattacks. With insight from the community, Warner said he's hoping to develop a national strategy to improve the “safety, resilience, and security” of the healthcare industry.
With the deadline for written responses – March 22 – having passed, The Institute for Critical Infrastructure Technology, a cybersecurity think tank this week aggregated public responses in a report, “An Analysis of Responses to Senator Warner’s Health Sector Cybersecurity Inquiries.” (.PDF)
The report breaks down responses from a handful of entities, including the American Hospital Association, the American Medical Association, HITRUST, and the Healthcare Leadership Council (HLC).
Among the responses, one of the biggest consistencies was the belief that patient health is paramount and that the sector needs to address threats through collaboration between public and private stakeholders and experts in the industry.
“Warner's questions probe the state of public-private and intra-agency collaboration because meaningful collaboration has proven one of the most under-utilized, cost-effective, and impactful strategies organizations can engage to mitigate hyper-evolving cyber threats,” the ICIT report reads, “Threat sharing initiatives allow for stronger data protection and more importantly, for proactive deterrence options instead of reactive remediation efforts.”
In particular, the American Hospital Association and the HLC – a coalition that counts executives from Amgen, Anthem, Johnson & Johnson, Merck, and McKesson among its members – advocated for great collaboration and increased cybersecurity education and information sharing.
AdvaMed, the Advanced Medical Technology Association, a medical device trade association, trumpeted an info sharing org, MedTech ISAO, it launched last month, in its response. It also pointed out that its been collaborating with more than half a dozen orgs, like Health and Healthcare Sector Cybersecurity Coordinating Council and the Department of Homeland Security’s National Cybersecurity and Communications Integration Center to better manage medical device cybersecurity.
One area of concern raised by the groups is the lack of policy in place to protect patient data. Just complying with HIPAA isn't enough to prevent data breaches and, in some cases, following it by the books can drive up costs, impede innovation, and result in "weakened cyber defenses," according to the ICIT.
Policy should exceed the bare minimum but not be unduly punitive, the groups say.
“Instead of focusing on punishing healthcare providers who suffer cybersecurity incidents, and thereby further reducing their resources available to modernize systems or adopt layered security controls, emerging governance should incentivize organizations to learn from their mistakes and share those lessons with other stakeholders.”
This concept figures into another made clear by ICIT’s report: The need for actionable governance. Instead of focusing strictly on the responsibilities of covered entities, Congress should modernize HIPAA and HITECH regulations and incentivize security instead of penalizing violations, the Virginia Hospital & Healthcare Association (VHHA) said.
Citing the difficulty of conducing security analyses as outlined by HIPAA, the AMA echoed those sentiments to an extent, adding that there should be multiple steps to compliance. For example, the AMA said, statutes or regulations could be revised to consider covered entities that adopt and implement the NIST Cybersecurity Framework or those that take steps toward applying the Health Industry Cybersecurity Practices are in compliance with the Security Rule.
Another idea brought forth by the groups would be to grant entities “safe harbor” from regulatory enforcement actions if they’ve been breached but are in compliance with security requirements. This concept, in the eyes of the AHA, the HLC, HITRUST, and CHIME, the College of Healthcare Information Management Executives, would incentivize orgs to invest in security controls "that they might otherwise forgo out of fear that if they are breached despite the controls, they will be significantly penalized."
Yet another idea would be to develop a government-recognized certification program and issue regular guidance that provides a baseline of cybersecurity safeguards in compliance with NIST's framework.
"Any national strategy should incentivize industry-wide collaboration rather than stoke fear of penalties or negative publicity, which often results in a lack of transparency of information on security breaches and ongoing cybersecurity threats," the report reads.
The groups' answers come amid what some have likened to an epidemic in the industry. Breached healthcare records tripled in 2018 as 15 million patients from 503 health data breaches had their data exposed.
