Healthcare Leaders Call for Cybersecurity Standards
Governance & Risk Management , Healthcare , Industry Specific
Also: Please Help the Sector Pay for Cybersecurity, Execs Tell Senate Panel Marianne Kolbasuk McGee (HealthInfoSec) • March 16, 2023 Witnesses being sworn in at Senate panel on healthcare cybersecurity Thursday (Image: U.S. Senate)
Healthcare industry representatives called on Congress to ensure minimum cybersecurity standards for their industry, saying that a wholly voluntary approach is failing clinics and hospitals.
See Also: Healthcare Sector Threat Brief
There is no shortage of best practices documents, said Stirling Martin, chief privacy and security officer at electronic health records giant Epic Systems, while testifying Thursday before a Senate panel.
Sifting through all of them and setting priorities is not an easy task, he told the Senate Homeland Security and Governmental Affairs Committee.
“One of the things that government can do to help is establish a minimum threshold for security best practices,” said Martin.
Cybersecurity gaps are widest at small rural hospitals, testified Kate Pierce, who served for 21 years as CIO and CISO at North County Hospital, a 25-bed community hospital in Vermont.
Staff at rural hospitals is scarce and stretched thin, she said, and they wear multiple hats and juggle many duties. It is extremely rare to find any individuals who are specifically assigned to handle security at those facilities, said Pierce, who is currently an executive at Fortified Health Security.
Implementing security best practices that are only “recommendations” and contained in voluntary guidance is simply not on the radar of such under-resourced hospitals, which are also contending with a barrage of other major challenges, she testified.
“Without minimum standards, these facilities will not prioritize cybersecurity over the seemingly more pressing needs in currently strained budgets,” Pierce said.
“But don’t forget – we also need to provide them the ability to implement the security measures,” she told the panel.
Changes to federal anti-kickback regulations allowing large hospitals to donate cybersecurity technology and services to smaller entities have had little impact on helping the have-nots, Pierce said. “There’s been little traction,” she says (see: HHS Rule Changes Allow for Cybersecurity Donations).
The healthcare industry needs help from the federal government to respond more effectively to the increasing frequency of attacks from nation-state actors and organized crime groups, testified Scott Dresen, CISO of Corewell Health, the largest integrated health system in Michigan.
“The U.S. government has actionable intelligence that would be of immediate value to the healthcare sector. While there is some degree of automated intelligence sharing, we need to make more of that intelligence accessible,” he said.
Financial support to help organizations get involved with the Health Information Sharing and Analysis Center or other information-sharing organizations – “if it’s a cost-matching subsidy” – would also benefit many entities that don’t currently participate in intelligence sharing, said Greg Garcia, executive director of cybersecurity for the Health Sector Coordinating Council.