Senator Mark Warner (D-VA), Chairman of the Senate Select Committee on Intelligence, has recently published a white paper – Cybersecurity is Patient Safety – that highlights the current cybersecurity challenges facing the healthcare industry and suggests several potential policy changes that could help to improve healthcare cybersecurity and better protect all health information, including health data not currently protected under the HIPAA Rules.
Sen. Warner suggests the only way to improve healthcare cybersecurity rapidly is through a collaborative effort involving the public and private sectors, with the federal government providing overall leadership. While further regulation may be necessary, the overall consensus of healthcare industry stakeholders is the best approach is to introduce incentives for improving cybersecurity, rather than mandating cybersecurity improvements with a threat of financial penalties for noncompliance.
The healthcare industry is under attack from cybercriminals and nation-state threat actors and cyberattacks and data breaches are increasing at unacceptable levels. In 2021, 45 million Americans had their sensitive personal and healthcare exposed or stolen in healthcare industry cyberattacks. More must be done to improve resilience and deal with the increasing threats. “Unfortunately, the healthcare sector is uniquely vulnerable to cyberattacks and the transition to better cybersecurity has been painfully slow and inadequate,” said Senator Warner. “Cybersecurity can no longer be viewed as a secondary concern; it must become incorporated into every organization’s – from equipment manufacturers to health care providers – core business models.”
The white paper suggests several areas where policies could be changed to improve cybersecurity in the healthcare industry.
Improve Federal Leadership
The Department of Health and Human Services (HHS) is the Sector Risk Management Agency (SRMA) for the healthcare industry, but within the HHS agencies such as the Office for Civil Rights (OCR), Centers for Medicare and Medicaid Services (CMS), and the Food and Drug Administration (FDA) have their own jurisdictions and cybersecurity policies. The white paper explains that there is a lack of overall leadership and suggests a senior leader should be appointed, who should be “empowered—both operationally and politically—to ensure HHS speaks with one voice regarding cybersecurity in health care, including expectations of external stakeholders and the government’s role.”
Modernize HIPAA
HIPAA was enacted in 1996, and the HIPAA Privacy and Security Rules have been in place for two decades, and while updates have been made to the HIPAA Rules, they fail to fully address emerging threats to the confidentiality, integrity, and availability of healthcare data. The current focus is on protecting the healthcare data collected, stored, and transmitted by HIPAA-regulated entities, but the same information is collected, stored, and transmitted by entities that are not bound by the HIPAA Rules. It has been suggested that more sensitive healthcare data is now being collected by health apps than is collected and stored by HIPAA-regulated entities, yet this data is largely unregulated. The white paper suggests Congress should direct the HHS to update HIPAA and expand the definition of covered entities and stipulate the allowable uses and disclosures of health data by entities that are not currently classed as HIPAA-regulated entities, to address the gap between HIPAA and the FTC Health Breach Notification Rule.
Develop a Healthcare-Specific Cybersecurity Framework
The National Institute of Standards and Technology (NIST) has released its Framework for Improving Critical Infrastructure Cybersecurity, and while that work has been commended, many healthcare industry stakeholders want more detailed guidance from NIST that is specific to the healthcare industry and have called for NIST develop a consensus-based healthcare-specific cybersecurity framework.
Improve Security Incident Preparedness and Response
The HHS recently stressed in its October Cybersecurity newsletter the importance of security incident preparedness and planning, as cyberattacks are inevitable in the lifespan of a healthcare organization. More needs to be done to encourage healthcare organizations to prepare for attacks. The HHS could direct healthcare facilities to consider cyberattacks to be equivalent to natural disasters such as hurricanes and earthquakes, including mandating training of hospital staff to use analog equipment and legacy systems, and to establish a disaster relief program for victims of cyberattacks.
Incentivize Healthcare Providers to Replace Legacy Systems
Legacy systems are still extensively used in the healthcare industry, despite software and operating systems reaching end-of-life and having support withdrawn. Legacy systems are a security risk, yet healthcare organizations continue to use them as they continue to function and the cost of replacing them is too high. Incentives should be offered to phase out these legacy systems, such as a program similar to the 2009 Car Allowance Rebate System (CARS) that encouraged people to trade in their old vehicles.
Improve Medical Device Cybersecurity
There is considerable concern about the cybersecurity of medical devices and a need for minimum standards of security to be maintained and good cyber hygiene practices followed. There is a need for all software and devices to be supplied with a software bill of materials (SBOMs), and for security requirements to be required during pre-market approval, as proposed by the PATCH Act. The white paper also suggests restrictions could be imposed on the sale of medical devices that have software that has reached end-of-life and is no longer supported, and for healthcare organizations to be incentivized to invest in systems for tracking medical equipment.
Address the Current Cybersecurity Talent Shortage
There is currently a global shortage of cybersecurity professionals that is unlikely to be resolved in the short to medium term. Healthcare organizations struggle to recruit the necessary talent and many cybersecurity positions in healthcare remain unfilled. The white paper suggests one way to address the shortage would be for Congress to create a workforce development program and to incentivize individuals to take on cybersecurity positions in healthcare, such as offering student loan forgiveness for cybersecurity professionals who commit to serving in rural communities, similar to the National Health Service Corps Loan Repayment Program.
Reduce the Cost of Cyber Insurance
Cyber insurance is becoming increasingly expensive and there is an extensive and burdensome application process. The white paper suggests a federal reinsurance program could be introduced to cover plans that require minimum cyber hygiene standards to be maintained, which could help the industry achieve minimum cyber hygiene standards without government mandates. The program would standardize coverage elements and provide incentives for insurance companies to adopt them. This could lower overall risks, which could help to reduce the cost of insurance.
Senator Warner is seeking feedback on the white paper from businesses, advocacy groups, researchers, and individuals. Comments should be submitted no later than December 1, 2022.
The post Cybersecurity is Now a Patient Safety Issue, Suggests Sen. Warner In Congressional Report appeared first on HIPAA Journal.