Senators ponder more federal actions on health care cybersecurity

While there are experts and resources available, health care systems across the nation could use more help from the federal government to strengthen their computer networks against malicious attacks.

The U.S. Senate Committee on Homeland Security & Governmental Affairs joined the public discourse over health care cybersecurity – and the urgency of threats – on March 16. The hearing, titled “In Need of a Checkup: Examining the Cybersecurity Risks to the Healthcare Sector,” included testimony from four industry experts.

They did not suggest an easy, quick, one-size-fits-all solution to bolster protections for the computer networks physicians, clinicians, and support staff use to record patient information.

But the four panelists described the nature of the problem and why health care information is so valuable to online thieves who can sell the data, hold it for ransom, or threaten disclosure to patients. There are security measures health care workers and their supporters in government can do right now, and possible solutions that could help in the future.

Speaking to senators

The witnesses included:

• Scott Dresen, senior vice president for information security and chief information security officer for Corewell Health
• Kate Pierce, senior virtual information security officer for Fortified Health Security
• Greg Garcia, executive director for cybersecurity for the Healthcare and Public Health Sector Coordinating Council
• Stirling Martin, senior vice president and chief privacy and security officer for Epic Systems

Size matters

Large health care systems have dedicated staff who can monitor the computer networks, sometimes 24 hours a day. The experts agreed small and medium-sized health care systems don’t have enough workers to do the same.

What’s more, if an urban hospital has to shut down systems due to a cyberattack, patients usually have other nearby options to seek care. That’s not the case in rural areas, Pierce said.

“The impact on our rural communities during an attack is hard to overstate,” Pierce said. “The impact on patient safety is easy to comprehend. Delays in care can directly contribute to negative outcomes for many high-risk conditions. Facilities that continue to treat patients are challenged to provide high levels of patient care without access to patient information, safety alerts, delays in results, and other key tools.”

She suggested at least four changes that could help:

• Create minimum, reasonable, achievable standards for cybersecurity, instead of recommendation that by necessity lag when physicians and staff must prioritize patient care.
• Make money available, especially for small and rural hospitals.
• The government needs better coordination of its cybersecurity efforts.
• An emergency cyber disaster relief program would help small and rural hospitals recover more quickly from attacks.

Collaboration can help

Dresen offered two examples of collaboration and training new workers to strengthen cybersecurity.

The Michigan Health Care Cybersecurity Council convened health care organizations 10 years ago under the governor’s sponsorship to share best practices.

“It connected large systems with small systems so that you gave that connectivity and access to expertise to everybody in the state to help improve the state of the healthcare sector overall,” Dresen said. The West Michigan Center for Arts and Technology, which Peters visited last year, also offers free computer training and certifications for students to provide new talent in the health care sector, Dresen said.

Resources available

There are at least two publicly available resources for health care leaders and information technology professionals to use in developing cybersecurity plans, Garcia said.

In the Cybersecurity Information Sharing Act of 2015 Congress directed the U.S. Department of Health and Human Services (HHS), with other agencies, to develop a series of cybersecurity best practices for health systems. That work is known as the 405(d) program for the section of law, and as the Health Industry Cybersecurity Practice: Managing Threat and Protecting Patients, with 10 best practices to protect health care computer networks. An updated set of best practices is due soon this year, Garcia said.

“So this is this is partnership at its at its best, where there is consensus about what health systems need to do in cybersecurity, some of the basic blocking and tackling, not necessarily expensive, no high investment level,” Garcia said. “But some of the foundational elements of good cybersecurity practices.”

The Healthcare and Public Health Sector Critical Infrastructure Security and Resilience Partnership, an industry partner with HHS, also offers free resources to enhance cybersecurity, Garcia said.

Standards are needed

Martin agreed there is no shortage of recommendations and guidance, but taking stock of those resources and deciding what to do is another thing. He agreed a key thing is for the federal government to establish minimum thresholds for security best practices, and those thresholds must change over time.

He agreed with Pierce that, whether large or small, health care organizations are balancing lots of different competing priorities. “Trying to balance all of those different competing priorities is incredibly challenging and having that minimum target to shoot for will help make sure everyone is marching towards that target, and ultimately raise the security posture of everyone in the community,” Martin said.

The witnesses’ opening testimony is posted online. After those statements, they answered questions by Peters and committee members Sen. Kyrsten Sinema, I-Arizona; Sen. Thomas R. Carper, D-Delaware; Sen. Margaret Hassan, D-New Hampshire; Sen. Jacky Rosen, D-Nevada; Sen. Alex Padilla, D-California; Sen. Josh Hawley, R-Missouri; Sen. Richard Blumenthal, D-Connecticut. The full Committee hearing is available online.