• Politics
  • Diversity, equity and inclusion
  • Financial Decision Making
  • Telehealth
  • Patient Experience
  • Leadership
  • Point of Care Tools
  • Product Solutions
  • Management
  • Technology
  • Healthcare Transformation
  • Data + Technology
  • Safer Hospitals
  • Business
  • Providers in Practice
  • Mergers and Acquisitions
  • AI & Data Analytics
  • Cybersecurity
  • Interoperability & EHRs
  • Medical Devices
  • Pop Health Tech
  • Precision Medicine
  • Virtual Care
  • Health equity

Stakeholders Must Be Proactive About Cybersecurity

Article

The healthcare sector is still at an increased risk, so what can stakeholders do to fight off cyber threats?

code

In February, Senator Mark Warner, the vice chair of the Senate Intelligence Committee and co-chair of the Senate Cybersecurity Caucus, sent a letter to 12 healthcare organizations and four federal agencies asking for feedback on the security and resiliency of the healthcare industry.

Warner wrote in the letter, “I would like to work with you and other industry stakeholders to develop a short- and long-term strategy for reducing cybersecurity vulnerabilities in the healthcare sector.”

In the letter, Warner expressed concern about sensitive medical records and said that while the increase use of technology in healthcare could improve the quality of patient care, expand access to care and reduce wasteful spending, technology has also made the industry more vulnerable to attack.

Among other things, Warner asked leaders to share:

  • How they identify and reduce vulnerabilities
  • If they maintain an up-to-date inventory of all of the connected systems within their facilities
  • If they have real-time data for the patching status of their systems
  • What steps have been taken to reduce risks that could be implemented nationally

Warner also asked if the government is doing enough to reduce vulnerabilities with a national strategy and what else the government can do to improve cybersecurity efforts.

The Institute for Critical Infrastructure Technology (ICIT) identified seven public responses to the questions from AdvaMed, American Medical Association, American Hospital Association, College of Healthcare Information Management Executives, Healthcare Leadership Council, HITRUST and Virginia Hospital and Healthcare Association. ICIT published a report detailing key themes and takeaways from the organizations’ responses.

The Need for Collaboration

Healthcare continues to face more complex and severe cybersecurity threats.

Every healthcare organization is at risk for many threats against every exposed system. But ICIT wrote in its report that the industry can improve its cyber posture through collaboration with public and private sector stakeholders and experts. Meaningful collaboration has been one of the most under-utilized, cost-effective and impactful strategies that organizations can roll out to decrease the risk of evolving cyber threats.

Through collaboration, organizations can have stronger data protection and have more proactive deterrence options. Collaboration between stakeholders also improves detection and response efforts and prevents pass-through and supply chain attacks.

Stakeholders Need to Be Proactive

The results of the Verizon 2018 Protected Health Information Data Breach Report highlighted a lack of cyber-hygiene and cybersecurity controls.

Stakeholders must do as much as possible to mitigate threats to healthcare systems and health data.

With a lack of proactivity from stakeholders, patients feel the impacts of breaches because hospitals act after the incidents have occurred. Then, patients’ digital health and financial future are in jeopardy so hospitals can minimize cybersecurity in their budgets.

According to the Health Care Industry Cybersecurity Task Force, 85% of U.S. hospitals do not have a cybersecurity professional on staff to secure their networks and systems. There has also been no effort to secure legacy computer systems or government effort to develop programs to help smaller healthcare practices get more cybersecurity personnel.

The healthcare sector is deficient in proactive foundational security policies, procedures and technical controls that could mitigate internal and external threats.

AdvaMed responded to Warner’s questions with information on past and current efforts by the organization to improve its medical device cybersecurity. The organization supported the development of cybersecurity consensus standards.

The American Hospital Association believes cybersecurity best practices are detailed under section 405(d) of the Cybersecurity Information Sharing Act of 2015, which were developed through collaboration after months of deliberation.

New Legislation Must Be Actionable

HIPAA is complex, resource intensive and offers minimal standards for healthcare data privacy and security, according to stakeholders.

HIPAA-compliant health systems might have less resources to improve their cybersecurity efforts and proactively fight off and mitigate threats.

The College of Healthcare Information Management Executives said that complying with HIPAA is insufficient in preventing data breaches and that strict adherence to HIPAA could result in weakened cyber defenses.

Policies are being introduced to improve interoperability and to promote the use of health technology, but cybersecurity measures must be put into place to protect patient health data.

ICIT wrote in its report that future policy recommendations should include security requirements that exceed minimal efforts and are not punishable.

Instead of punishing providers who experience cybersecurity incidents, reducing their resources to modernize practices, ICIT suggests that emerging governance should incentivize organizations to learn from their mistakes and share their lessons with other stakeholders.

Get the best insights directly to your inbox.

Related

Consumers Are Not Prepared to Handle Cybersecurity Threats, Morphisec Report Finds

Why Experts Think e-Commerce Hacker FIN6 Is Moving Into Healthcare

If You Can’t Beat the Hackers, Join Them

Related Videos
Image: Ron Southwick, Chief Healthcare Executive
Related Content
Image credit: ©tippapatt - stock.adobe.com

Healthcare mergers may face more questions about cybersecurity

April 18th 2024
Article

In the wake of the Change Healthcare attack, regulators may look more closely at protections for data privacy as they examine deals, experts say.

The rise of third party cyberattacks in healthcare | Data Book podcast

The rise of third party cyberattacks in healthcare | Data Book podcast

March 11th 2024
Podcast

Dan Dodson, the CEO of Fortified Health Security, talks about the risks to hospitals, AI in attacks and defense, and what health systems can do to protect themselves.

Image credit: American Hospital Association

Change Healthcare cyberattack: Health leaders ask Congress for help with cybersecurity

April 17th 2024
Article

During a House panel hearing on the attack, hospital and health industry leaders urge lawmakers to help deal with attacks from ransomware groups.

Hospitals face evolving threats from cyberattacks | Data Book podcast

Hospitals face evolving threats from cyberattacks | Data Book podcast

December 7th 2023
Podcast

Michael Hamilton, founder and chief information security officer of Critical Insight, talks about trends in attacks and emerging threats in the coming year.

Image: Ron Southwick, Chief Healthcare Executive

Change Healthcare cyberattack: Lawsuits emerge, and more are coming

April 5th 2024
Article

Several suits have already been filed and others are expected due to the ransomware attack that has affected hospitals and providers nationwide.

Image: Ron Southwick, Chief Healthcare Executive

American Hospital Association CEO talks about Change Healthcare ransomware attack and cybersecurity

April 4th 2024
Article

Rick Pollack discussed the cyberattack and its ramifications at the Hospital + Healthcare Association of Pennsylvania Leadership Summit.

© 2024 MJH Life Sciences

All rights reserved.