- The Institute for Critical Infrastructure Technology released an analysis Tuesday of industry responses to a Feb. 21 letter from the Senate Intelligence Committee's Mark Warner, D-Va., which called on 12 healthcare groups and four federal agencies to offer feedback to inform development of "a national strategy that improves the safety, resilience, and security of our health care industry."
- The cybersecurity think tank's report examined public comments from AdvaMed and six other organizations. Common themes that emerged include the need to collaborate among stakeholders, need for a national strategy on cybersecurity and availability of a "safe harbor" for HIPAA-covered entities that are breached despite adherence to best practices for cybersecurity.
- On the device front, AdvaMed has voiced that medtech companies should build cybersecurity considerations into product development, implement cross-industry coordinated vulnerability disclosure policies, and adopt consensus standards and regulations.
A report by cybersecurity firm Bitglass found that while the number of reported healthcare breaches dropped slightly from 294 in 2017 to 290 last year, the number of records breached more than doubled — from 4.7 million to 11.5 million.
Despite some progress, EHR vulnerabilities and underfunding for cybersecurity continue to put many hospitals and other organizations at risk, oftentimes from their own employees. Cybersecurity, privacy and security topped healthcare executives' concerns in a recent HIMSS survey, ranking 5.69 on a seven-point scale with providers and 5.38 with vendors. Breached organizations face loss of revenue from service interruptions, ransom costs to unlock encrypted systems, hefty HIPAA fines for compromised records and damage to their brand image, potentially affecting patient volume.
It's not just EHRs that are affected; ICIT notes a 2017 Trend Micro report found more than 100,000 medical devices and systems were exposed directly to the public internet. Other examples include devices from Bayer and Siemens infected with ransomware in May 2017, and devices flagged by the U.S. Department of Homeland Security as having vulnerabilities, like imaging systems from GE Healthcare and cardiac implants from Medtronic.
In addition to AdvaMed, organizations providing feedback to Warner included the American Hospital Association, the American Medical Association, the College of Healthcare Information Management Executives, the Healthcare Leadership Council, HITRUST and the Virginia Hospital and Healthcare Association.
Among the key takeaways is the need for collaboration between government and industry stakeholders and cybersecurity experts.
"Threat sharing initiatives allow for stronger data protection and more importantly, for proactive deterrence options instead of reactive remediation efforts, the ICIT report says. "Collaboration between key stakeholders improves detection and response efforts, but it also prevents pass-through and supply chain attacks."
CHIME raised concerns about device companies having access to patient information without having signed HIPAA agreements with providers, as well as lack of real-time awareness of vulnerabilities and patch information. Along those lines, organizations also cited the challenges of securing ever-larger interconnected networks.
Organizations also voiced support for a national strategy and federal guidance on cybersecurity in healthcare, including recommendations on assessing threats from inside an organization. And they urged regulators to provide incentives for good cyber controls rather than just penalizing infractions.
In its response, the AMA urged lawmakers and the administration to "permit 'multiple paths to compliance' with HIPAA's Security Rule," such as recognizing entities that implement the National Institute of Standards and Technology's cybersecurity standards framework as being in compliance with the rule.
On the issue of safe harbors, several groups, including AHA, CHIME, HITRUST and HLC, said offering protection from enforcement actions for security-conscious entities that are nevertheless breached would incentivize organizations to invest more heavily in security controls. To qualify, organizations would need to show compliance with cybersecurity best practices, perhaps via a certification process, AHA suggested.
"A safe harbor would give covered entities clarity about the level of diligence they need to exercise, including when they agree to share and exchange protected health information with other systems/organizations through tools like health information exchanges, to avoid OCR enforcement when an attacker gains access," AHA added.
In line with the call for a safe harbor, organizations urged Congress to direct HHS to develop a certification program an issue guidance providing baseline security safeguards aligned with the NIST cybersecurity framework.