Healthcare Cybersecurity: Some Progress, Still Problems
Critical infrastructure security, governance and risk management
Assessing the industry’s cybersecurity progress over the past 5 years
Marianne Kolbasuk McGee (HealthInfoSec) •
June 17, 2022
“The job isn’t done yet” was a key part of a White House roundtable this week marking the fifth anniversary of a task force’s urgent recommendations to improve healthcare cybersecurity.
See also: On demand | Zero tolerance: control the landscape where you will meet your opponents
Biden administration officials, cybersecurity experts and industry leaders gathered in Washington for a briefing and roundtable to take stock of developments since the “Cybersecurity Improvement Report”. in healthcare” from June 2017, warning that healthcare cybersecurity “is in critical condition”.
The report contained dozens of recommendations developed with input from the Department of Health and Human Services and public and private sector safety experts.
Some experts, including people who worked on the 2017 report, told Information Security Media Group that the healthcare sector has since made improvements.
But the sector — especially during the coronavirus pandemic — has in many ways slipped into a weaker cybersecurity position, says at least one member of the original report’s task force.
“We’ve seen hundreds of healthcare delivery organizations disrupted by ransomware attacks,” says Josh Corman, who ended an 18-month tenure as chief healthcare industry strategist earlier this year. Health at the Cybersecurity and Infrastructure Security Agency on issues related to coronavirus and public safety.
The 2017 report was a requirement of the Cybersecurity Information Sharing Act 2015 (see: Analysis: Are HHS cybersecurity recommendations feasible?).
Among those present at this week’s event celebrating the report’s wooden anniversary were members of the executive committee of the Health Sector Coordinating Council’s Cybersecurity Task Force, said Erik Decker, CISO of Intermountain Health and committee chair.
Participants “committed to continue to evaluate the 2017 report, to identify areas where it could be updated, and to align with establishing a system that ‘you must all beat us to beat one of us,'” he said.
Another member of the HHS cybersecurity task force, former health IT director David Finn, who did not attend the White House meeting, told ISMG he had an assessment. mixed results of the past five years of cybersecurity efforts.
“There has been a lot of progress in the security industry since the report was released, less because it was passed and implemented by Congress than because it galvanized the industry to an incredible degree. “said Finn, who is now vice president. education and networking associations within the College of Healthcare Information Management Executives, a healthcare CIO and CISO professional organization.
Neither HHS nor CISA immediately responded to Information Security Media Group’s request for comment on the meeting and for additional details on what was discussed.
More attention needed
The need for continued attention to industry cybersecurity practices is evident. For example, during the ongoing pandemic, the sector has had to deal with record numbers of patient cases and the rapid adoption of less approved technologies for teleworking and telehealth, while also dealing with staff and resources. record – while dealing with record volumes of attacks by adversaries to disrupt and delay patient care.
Healthcare organizations unable to offer their services to more traditional, higher-margin patients during the pandemic – such as elective surgeries and non-coronavirus elective care – have suffered financially, leading to further cuts in areas such as safety, Corman told ISMG.
The persistent divide between large organizations that nonetheless possess more resources than their smaller counterparts also remains a concern, Decker says.
“We are concerned about the ‘haves’ and ‘have-nots’, especially small organizations that are at risk but lack the resources to address the cyber threats we face,” he said. “It is at the center of our concerns as we continue our efforts.”
One thing HHS could do to improve things is finally release a formal cyber incident response plan for the industry, Corman says.
Among the 2017 task force recommendations, HHS was to identify critical incident response plans for use by the healthcare industry. “HHS, from an incident response perspective, was unprepared for what we faced during the pandemic,” he says.
A reading of the White House meeting reports that Andrea Palm, deputy secretary of HHS, told attendees that the department was working to finalize incident response guidelines.
Another ongoing challenge is the industry’s stubborn perception that cybersecurity resides in its own bubble and does not consider the quality of patient care delivery, Finn says.
“Cybersecurity is still considered an IT and security ‘problem’. Although we are making progress in this area, the industry has been slow to recognize that this is a business risk issue,” he says. “Security does not understand or experience the impacts of an attack. Clinical care and quality of care suffer.”
The task force report addressed related governance issues, and while many of these recommendations were addressed by government entities, “we don’t see the same attention from individual vendors or business associates,” says- he.
Some members of the task force claim that the health sector has achieved certain achievements such as generally higher levels of awareness and attention.
Perhaps the most significant advancements are in medical device security and Internet of Things medical technology, according to Finn. “The task force report has highlighted the magnitude of the problem and the multitude of unique needs and issues. time was a joke.”
Device makers, hospital administrators, clinicians, biomedical engineers and computer scientists and security officials have understood they should work together, while the Food and Drug Administration in particular has provided more guidance. detailed information on cybersecurity, he says. “The mission isn’t over, but it’s getting the kind of attention it needs.”
HHS has been working to find deeper collaboration with the healthcare industry on issues related to cybersecurity. For example, in 2020, HHS launched the Healthcare Sector Cybersecurity Coordination Center. The center is responsible for directing HHS’s sharing of cybersecurity information, including mitigation resources. It frequently distributes educational material as well as notices related to the latest threats.
Corman says that over the past five years, among the most notable developments has been the recognition by healthcare, as well as the federal government, of the importance of software bills of materials.
President Joe Biden’s 2021 Executive Order on Cybersecurity mandated SBOMs for products sold to federal agencies by contractors. But even before that, some in government and health sectors had been touting the importance of SBOMs for several years, Corman says.
Most notably, this includes the FDA, which recommended “cybersecurity nomenclatures” for medical devices in draft premarket guidance released in 2016, then changed that for SBOMs in updated draft guidance released in April. , he says (see: FDA document details cyber expectations of device makers).
Another major breakthrough highlighted by Corman is changing federal regulations on physician self-referral to help smaller, underfunded health care providers.
HHS amendments to the Stark Act allow large hospitals and health care delivery systems to donate cybersecurity software, hardware and services to smaller affiliated clinics and medical practices without violating federal antitrust laws. -bribes (see: HHS rule changes allow cybersecurity donations).