Healthcare industry and government leaders see national standards, participating federal agencies, and technology playing a key role in the fight against cyberattacks in the healthcare sector. strong. Here’s a brief summary of some of those trends, based on what we’ve reported and read in recent weeks.
‘Meaningful protection’ could drive cybersecurity transformation in healthcare
written in Forbes, Ed Gaudet, CEO and founder of Censinet, and member of the Health Sector Coordinating Council, proposes and describes what he calls the “Meaningful Protection” standard for health and safety. Cybersecurity in health care, like the federal meaningful use program that drove the early adoption of electronic health records. the 2010s, he said, the goal would be to reduce patient safety risks and improve operational recovery through the “velvet hammer” approach.
“It is time for the United States to implement an incentive-based program to accelerate adoption of meaningful processes and technologies that protect our patients and healthcare infrastructure,” writes Gaudet. “.
Although there is some debate about the details of the meaningful use program, implemented as part of the HITECH Act to ensure efficient use of federal incentive money, Gaudet said it is difficult to rejected the impact of the $27 billion program on shifting healthcare from paper to EHRs.
“To truly transform healthcare cybersecurity, the US government must consider modeling its cybersecurity investment program after Meaningful Use – specifically, ‘meaningful protection’. meaning’ for patient safety, data, and care delivery practices through a combination of incentive and punishment over time,” Gaudet wrote.
He launched a three-phase program designed to enable healthcare organizations to demonstrate the use of certified methods, processes, and technologies in ways that can measure protection. patient safety, data and care delivery practices.
Gaudet also suggested such a program would “accelerate “herd immunity”,” which the Public Health and Health Sector Coordinating Council’s cybersecurity working group is calling for. declare that preparing for cyberspace is a shared responsibility.
“The first step to finding a solution is: realizing that you have a problem. We realize that we have this problem. Now it’s starting to manifest as it all comes together. I’m seeing it. it and I’m full of energy because of it,” Greg Garcia, the group’s executive director, told attendees of the recent HIMSS 2022 Healthcare Cybersecurity Forum.
James Noga, the former CIO of Boston-based Mass General Brigham, agreed. “Meaningful Protection will lead a positive direction in protecting healthcare organizations and patients from cyberattacks if adopted,” he wrote today in a LinkedIn post. that you agree to share on it. Healthcare IT News. “The next step is to lobby our lawmakers.”
The FTC may report on cross-border ransomware claims
As part of Congress’ year-end wrap-up package, Energy and Commerce Chairman Frank Pallone, Jr., D-New Jersey, and Commerce and Consumer Protection Subcommittee Chairman Jan Schakowsky, D-Illinois . some individuals, companies and foreign governments do.”
According to the notice, the FTC must focus specifically on attacks committed by Russia, China, North Korea, or Iran, as well as individuals or companies associated with those countries.
In June, the House Energy and Commerce subcommittee forwarded the Report on Attacks from Selected Countries to Monitor and Monitor Web Attacks and Ransomware from the Act. enemies for the entire committee, but like NextGov reported, it has struggled due to lack of support from Senate Leaders.
The RANSOMWARE Act requires the FTC to report to Congress on data from Fraud, Spyware, and Spam Enforcement with Border Patrol Agencies Act Allows Federal Commission to Share Evidence with foreign law enforcement agencies and assist with investigations upon their request.
According to the report, members of the committee debated state precedence and the right of individuals, as opposed to government agencies, to sue violators. But Pallone has advocated since 2017 for “long-term commitments from many players” to strengthen the healthcare industry’s cybersecurity position.
Many healthcare organizations such as the American Hospital Association are calling for more federal assistance to victims of national cyberterrorism, including real-time insights.
“There’s only so much we can do in defense when foreign enemies sheltered by hostile nations attack us. The other half of the equation is a powerful offense of the US government to go after these people,” said John Riggi, national adviser for cybersecurity and risk to the AHA, formerly of the Federal Bureau of Investigation. Healthcare IT News in a recent conversation about government offenses against healthcare cyberattacks.
Automation strategy can improve connected healthcare device security
While the industry awaits government action on the PATCH Act and the proposed software raw materials bill, Greg Murphy, advisor and former CEO of Ordr, which recently partnered with Sodexo on services managed cybersecurity service, providing hospitals with six immediate steps they can take to improve medical device security.
Write to SC magazineMurphy recommends automation to maintain full visibility to maintain an up-to-date device inventory, identify risks, and monitor device communications.
“Fighting the threat and maintaining patient safety requires constant monitoring and safety of the many connected devices in use in hospitals today,” he wrote. .
“It’s been a tremendous job to avoid Code Dark events that force frontline doctors, nurses and hospital staff to serve after the attacks.”
Risk analysis “remains a very manual and labor-intensive process,” said Northwell Health’s Kathy Hughes CISO during a third-party cybersecurity panel at the Care Cybersecurity Forum. recent HIMSS health.
Murphy recommends automating device discovery and classification to enable real-time and accurate device inventory and data.
First, “identify devices with outdated operating systems or other risks such as misconfigurations and unauthorized or vulnerable software,” he said.
Hospital IT teams should also monitor communications from countries with known hacking postures; identify and monitor high-risk privileged protocol devices; segment of devices running outdated operating systems that cannot be patched; Only allow accepted communications that are necessary for the operation of the device and create a baseline for all connected device communications.
“Whenever ransomware takes control of a device, there is communication with an internet-based command and control website and the ability to move across the organization,” Murphy said.
“Any deviation detected from basic communication is a sign of compromise.”
Andrea Fox is the senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a publication of HIMSS.
