Healthcare , Industry Specific , Standards, Regulations & Compliance
Healthcare Cybersecurity Proposal Stirs Industry Opposition
What Should the US Government Do to Impove Medical Cybersecurity?Lobbyists for U.S. hospitals oppose a Biden administration proposal for mandatory cybersecurity requirements and possible financial disincentives for organizations that fail to meet those expectations. Industry experts contend that some type of government actions are needed for raising the bar on cybersecurity in the healthcare sector.
See Also: Critical Condition: How Qilin Ransomware Endangers Healthcare
The Biden plan, along with other measures, proposes establishing cybersecurity requirements for hospitals participating in Medicare and Medicaid programs (see: Biden Administration Issues Cyber Strategy for Health Sector).
The Department of Health and Human Services will work with Congress to obtain new authority and funding to both administer financial support for domestic hospital investments in cybersecurity "and, in the long term, enforce new cybersecurity requirements through the imposition of financial consequences for hospitals," the Biden document says.
The HHS has not yet fleshed out the specifics of what those new requirements and cybersecurity "performance goals" will be.
The American Hospital Association in a statement issued shortly after the Biden administration issued its concept paper on Dec. 6 said it "cannot support proposals for mandatory cybersecurity requirements being levied on hospitals as if they were at fault for the success of hackers in perpetrating a crime."
"Many recent cyberattacks against hospitals have originated from third-party technology and other vendors," the AHA said. "Imposing fines or cutting Medicare payments would diminish hospital resources needed to combat cybercrime and would be counterproductive to our shared goal of preventing cyberattacks."
Other industry experts say some kind of government-backed change is needed to push the healthcare sector into a better cybersecurity stance. Often chronically underfunded, medical cybersecurity organizations have presided over a multiyear wave of ransomware attacks that shows little sign of abating. Emergency room closures and canceled procedures are often the result, with knock-on effects to patient health. A September 2021 analysis by the Cybersecurity and Infrastructure Security Agency found that cyberattacks can contribute to increased patient mortality by degrading hospital capacity.
"My first reaction from reading AHA's response to HHS' proposal is that a lot of folks are going to say, 'Wow, this sounds like AHA is saying, Woe is me. I'm the victim here so don't hold me responsible,'" said longtime healthcare industry cybersecurity expert Mac McMillan.
"But I don’t believe it's that simple. AHA's response says, 'We're a victim, and you can’t blame the victim. Therefore, penalties are not realistic, but incentives are OK.' It turns what should be a reasonable discussion of what is needed to do a better job of protecting one of our most valuable national resources into an emotional story of bullying the victim," he said.
Kathy Hughes, CISO of Northwell Health, the largest healthcare system in New York state, also thinks more needs to be done to raise the level of cybersecurity in the healthcare sector.
"Most agree that more should be done," Hughes said. Proposed federal and state legislation "is an acknowledgment that cybersecurity is a patient safety issue and that reasonable and appropriate security measures should be established," she said.
Offering incentives to hospitals and other healthcare providers to improve their cybersecurity programs can be a valuable approach for several reasons, Hughes said.
Northwell was among nearly 20 healthcare organizations that New York state contacted when regulators there recently prepared the state's own proposed regulations - also issued this month - to improve cybersecurity in hospitals in the state (see: NY State Eyes New Cyber Regs for Hospitals).
New York's proposed cybersecurity regulation - which is open for public comment until early February - comes with a $500 million funding request to help hospitals step up their security investments to comply with the new requirements.
When it comes to setting new standards in healthcare cybersecurity, one set of experts said the best vehicle would be updating the existing HIPAA Security Rule.
The rule is now 28 years old, Hughes said. "The requirements in the rule need to be modernized and strengthened to adequately protect patient data against today's cybersecurity threats," she said.
McMillan calls for a complete HIPAA overhaul - or possibly replacing it with more robust requirements. "Every other standard or framework - whether you want to talk NIST, ISO, CIS, etc. - has gone through four or five major revisions during this same time period," he said.
"We should not be talking about updating HIPAA, we should be scrapping it and adopting the NIST standards as almost every other industry, the government and today most of healthcare have already done," he said. "If the overwhelming percentage of healthcare entities have already adopted the NIST standards why then is it so hard for leaders in this industry as well as leaders in Washington to just make this the standard."