Cyberattacks can lock doctors out of patient information systems, compromise protected data, shut down hospital equipment, and delay patient care, but they can also trigger incidents. lawsuits and penalties against health care organizations.
An industry expert asks, Is the healthcare industry set to fail?
Calling a healthcare cybersecurity king
Senator Mark Warner, D-Virginia, divides his new policy document, Cybersecurity as Patient Safety, into three sections: national risk posture and federal leadership; network attack recovery and requests; and incentives can improve healthcare cybersecurity.
He cited stakeholders who reported a lack of coordination between the Department of Health and Human Services and the Cybersecurity and Infrastructure Administration (CISA) in its call to establish a new senior leader. responsible for healthcare cybersecurity under the executive agency secretary.
“To be [HHS] succeed as a risk management agency in the healthcare sector and is HHS the most appropriate SRMA? ” partnership between the federal government and industry and other questions about monitoring HHS.
Previously, CISOs of leading health systems said IT news about healthcare that collaboration with HHS on cybersecurity is happening at all levels.
Congress focuses on healthcare cybersecurity
Warner is a co-founder of the Cybersecurity Senate Conference and he is the man behind the Internet of Things (IoT) Cybersecurity Improvement Act and other cybersecurity legislation.
In 2019, he sent a series of questions to a number of healthcare providers and industry trade associations and sent letters about the steps they had taken to improve their cybersecurity. himself, according to a notice from his office.
Some of the policies being considered in Warner’s healthcare cybersecurity policy document urges Congress:
- Expand and require HHS to make more frequent updates to HIPAA, particularly when consumer apps and devices that collect and share health information are not required to comply with the law.
- Consider establishing a workforce development program with a particular focus on cybersecurity healthcare, given the shortage of experienced cybersecurity workforce across industries.
- Authorization creates minimal cyber hygiene practices, with compliance incentives and penalties for non-compliance.
- Consider some incentives to address obsolete systems, medical devices, and equipment to reduce or eliminate lifecycle gaps, like product replacement and rebate programs legacy, as well as market incentive programs for and for medical device manufacturers.
- Request a bill of software materials for all software and equipment used in healthcare.
The Warner report also recommends a number of industry incentive programs, such as student loan forgiveness to provide healthcare cybersecurity in rural areas and setting up disaster relief related to public health. state for cyberattacks, which the Federal Emergency Management Agency provides to hospitals after other disasters.
Relief can help healthcare organizations recover with grants, equipment loans, and federal assistance.
The Virginia senator didn’t stop at cyberattacks in prioritizing patient protection around user data and privacy.
He introduced the DASHBOARD Act 2019 to increase transparency in data collection and recently wrote to Mark Zuckerberg asking about methods of collecting patient information using Meta Pixel, a human data tool. consumers installed on hospital websites to convert impressions into customers.
But Senator Warner isn’t the only federal legislator looking to beef up healthcare cybersecurity to protect patient data.
In September, the Healthcare Cybersecurity Act – introduced by representatives Jason Crow, D-Colorado and Brian Fitzpatrick, R-Pennsylvania, in the House and by Senators Jacky Rosen, D-Nevada, in the Senate – will direct CISA to work with HHS to increase cyber resilience in the healthcare sector.
‘We set up our health system to fail’
Following the Senator Warner group policy briefing, Chris Bowen, CISO at ClearDATA, shared with IT news about healthcare via email that “we will provide additional input on these policy options to try to level the playing field.
“Some healthcare organizations have been shown to be lax in their security controls,” says Bowen. “But many people are doing everything right and still fall victim to attacks by nation-state organizations or criminal organizations funded by nation-states. How. for a healthcare provider to effectively fight China or Russia? becomes, what happens when I’m doing everything right but still get squashed?” he wrote.
In its report, Warner highlighted the “slow and painfully inadequate transition” to improving the industry’s cybersecurity landscape.
“Over the past decade, the American public has witnessed increasingly blatant and disruptive attacks on their healthcare sector that jeopardize sensitive personal information,” he wrote. delay treatment and ultimately lead to increased suffering and death.”
However, Warner’s policy report shows there is a significant amount of governance and there will certainly be some input from the industry to respond to.
Bowen, who is also a member of the Public Health and Health Sector Coordination Council of the Joint Working Group on Cybersecurity, which develops and disseminates a number of recommended cybersecurity practice guidelines. Industry opinion:
“When a provider is attacked by ransomware, the provider suffers reputational damage, operations fail, and their patients can literally die if access to care is restricted. And even if it does recover, trial attorneys are still building class-action lawsuits while regulators seek to ‘send a notice’ with a fine that the supplier couldn’t pay in the first place. pay. We have set up our health system to fail under these circumstances,” he wrote.
Warner is seeking feedback from healthcare stakeholders on policy options, according to the announcement. To respond, write to [email protected].
“The federal government and the health sector must find a balanced approach to dealing with serious threats, as partners with shared responsibility,” Warner said.
Andrea Fox is the senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a HIMSS publication.
