Minimum standards, financial aid for small systems would help, industry experts say.
While there are experts and resources available, health care systems across the nation could use more help from the federal government to strengthen their computer networks against malicious attacks.
The U.S. Senate Committee on Homeland Security & Governmental Affairs joined the public discourse over health care cybersecurity – and the urgency of threats – on March 16. The hearing, titled “In Need of a Checkup: Examining the Cybersecurity Risks to the Healthcare Sector,” included testimony from four industry experts.
They did not suggest an easy, quick, one-size-fits-all solution to bolster protections for the computer networks physicians, clinicians, and support staff use to record patient information.
But the four panelists described the nature of the problem and why health care information is so valuable to online thieves who can sell the data, hold it for ransom, or threaten disclosure to patients. There are security measures health care workers and their supporters in government can do right now, and possible solutions that could help in the future.
The witnesses included:
Large health care systems have dedicated staff who can monitor the computer networks, sometimes 24 hours a day. The experts agreed small and medium-sized health care systems don’t have enough workers to do the same.
What’s more, if an urban hospital has to shut down systems due to a cyberattack, patients usually have other nearby options to seek care. That’s not the case in rural areas, Pierce said.
“The impact on our rural communities during an attack is hard to overstate,” Pierce said. “The impact on patient safety is easy to comprehend. Delays in care can directly contribute to negative outcomes for many high-risk conditions. Facilities that continue to treat patients are challenged to provide high levels of patient care without access to patient information, safety alerts, delays in results, and other key tools.”
She suggested at least four changes that could help:
Dresen offered two examples of collaboration and training new workers to strengthen cybersecurity.
The Michigan Health Care Cybersecurity Council convened health care organizations 10 years ago under the governor’s sponsorship to share best practices.
“It connected large systems with small systems so that you gave that connectivity and access to expertise to everybody in the state to help improve the state of the healthcare sector overall,” Dresen said. The West Michigan Center for Arts and Technology, which Peters visited last year, also offers free computer training and certifications for students to provide new talent in the health care sector, Dresen said.
There are at least two publicly available resources for health care leaders and information technology professionals to use in developing cybersecurity plans, Garcia said.
In the Cybersecurity Information Sharing Act of 2015 Congress directed the U.S. Department of Health and Human Services (HHS), with other agencies, to develop a series of cybersecurity best practices for health systems. That work is known as the 405(d) program for the section of law, and as the Health Industry Cybersecurity Practice: Managing Threat and Protecting Patients, with 10 best practices to protect health care computer networks. An updated set of best practices is due soon this year, Garcia said.
“So this is this is partnership at its at its best, where there is consensus about what health systems need to do in cybersecurity, some of the basic blocking and tackling, not necessarily expensive, no high investment level,” Garcia said. “But some of the foundational elements of good cybersecurity practices.”
The Healthcare and Public Health Sector Critical Infrastructure Security and Resilience Partnership, an industry partner with HHS, also offers free resources to enhance cybersecurity, Garcia said.
Martin agreed there is no shortage of recommendations and guidance, but taking stock of those resources and deciding what to do is another thing. He agreed a key thing is for the federal government to establish minimum thresholds for security best practices, and those thresholds must change over time.
He agreed with Pierce that, whether large or small, health care organizations are balancing lots of different competing priorities. “Trying to balance all of those different competing priorities is incredibly challenging and having that minimum target to shoot for will help make sure everyone is marching towards that target, and ultimately raise the security posture of everyone in the community,” Martin said.
The witnesses’ opening testimony is posted online. After those statements, they answered questions by Peters and committee members Sen. Kyrsten Sinema, I-Arizona; Sen. Thomas R. Carper, D-Delaware; Sen. Margaret Hassan, D-New Hampshire; Sen. Jacky Rosen, D-Nevada; Sen. Alex Padilla, D-California; Sen. Josh Hawley, R-Missouri; Sen. Richard Blumenthal, D-Connecticut. The full Committee hearing is available online.