Getty Images/iStockphoto

Experts Shed Light On Healthcare Cybersecurity Challenges Before Senate Panel

Four industry experts testified before the Senate Homeland and Governmental Affairs Committee recently, championing healthcare cybersecurity minimum standards and federal assistance for under-resourced organizations.

During a recent Senate Homeland and Governmental Affairs Committee hearing, four healthcare industry leaders shared their views on healthcare cybersecurity challenges and the ways in which the federal government could help the sector improve its security posture.

Throughout their testimonies, the experts stressed the need for additional support from the federal government as cyber threats continue to overwhelm the sector.

Healthcare Leaders Call For Support For Rural Healthcare Orgs

Cybersecurity challenges for rural and under-resourced healthcare organizations were a key focus area for Kate Pierce, senior virtual information security officer at Fortified Health Security, during her testimony.

“The impact on rural communities during a cyberattack is hard to overstate,” Pierce said. “While attacks in urban areas are impactful, populated areas provide other healthcare options for patients to choose. In most rural areas, the next closest healthcare facility may be 45 miles away or more, making the diversion of patients infeasible.”

Pierce cited unprecedented budget constraints, a lack of staffing dedicated to cybersecurity, and challenges with obtaining and relying on cyber insurance policies.

“We cannot leave our small and rural hospitals behind,” Pierce added. “Funding opportunities must be made available to these hospitals.”

But even with additional funding and cyber policies, Greg Garcia, executive director of the Health Sector Coordinating Council (HSCC) suggested that “cyber regulation on the nation’s small and under-resourced health systems cannot succeed without corresponding support from the government.”

Garcia championed the creation of structured government support programs that could help the sector, particularly critical access and rural providers, reduce risk through incentive- or grant-based assistance.  

In his opening statement, Scott Dresen, senior vice president, information security and chief information security officer at Corewell Health, noted that small and medium sized healthcare systems are not the only ones that are at a disadvantage in the cyber threat environment.

“Despite the advantage large organizations have in comparison, the increasing trend in attacks prove even the largest organizations are vulnerable and can be compromised.”

Improving Coordination Between Industry and Government  

“The industry is mobilizing collaboratively against evolving cyber threats in the health system. And our government is doing the same and can be doing more,” Garcia continued.

“The industry is regulated for cybersecurity in various ways and more is being contemplated, but there are ways that HHS, CISA, and other government offices can improve coordination in programs and funding to facilitate the security of the health sector.”

Garcia and other experts pointed to the need for increased threat sharing to help the sector better respond to emerging threats.

Dresen shared similar sentiments, suggesting that the sector can be more effective by “enhancing existing partnerships with and between U.S. government agencies, expanding the sharing of actionable threat intelligence, incentivizing access to affordable technology to defend against advanced threats, and reforming legislation to encourage the adoption of best practices while not penalizing the victims of cyberattacks.”

Establishing Minimum Security Standards

There is a plethora of free guidance and resources available for the sector to leverage that will help organizations mitigate risk. But voluntary guidance only goes so far, experts suggested.

“We must move beyond guidance and recommendations and create minimum standards for cybersecurity,” Pierce recommended.

“These standards must be reasonable, achievable and continually evolving as cybersecurity requirements change. “

Experts have long championed the creation of minimum cybersecurity standards. In fact, establishing minimum standards was a key focus area in Senator Mark Warner’s (D-VA) policy options paper on improving healthcare cybersecurity.

Stirling Martin, senior vice president and chief privacy and security officer at Epic Systems, echoed the need for minimum standards in his statement.

“The industry needs a single set of prescriptive security practices, whether defined by federal agencies such as NIST or CISA, industry efforts such as HITRUST, or a collaboration such as the Healthcare Sector Coordinating Council,” Martin said.

“This will raise the overall security posture of healthcare organizations by encouraging them to meet those acceptable security practices. The government should take the further step of establishing a legal safe harbor for organizations that meet the defined benchmark if they fall victim to an incident. This would also encourage information sharing to remediate active issues more quickly and prevent similar issues in the future, and could be bolstered by government agencies sharing deeper threat intelligence.”

The testimonies made it clear that the sector is aware of the cyber risks it faces on a daily basis, but it needs additional support from the government to further protect its patients.

Next Steps

Dig Deeper on Cybersecurity strategies