“Unfortunately, the healthcare sector is uniquely vulnerable to cyberattacks and the transition to better cybersecurity has been painfully slow and inadequate. The federal government and the health sector must find a balanced approach to meet the dire threats, as partners with shared responsibilities.” 

These were a few of the words spoken by Senate Select Committee on Intelligence Chairman, Mark R. Warner, when announcing ‘Cybersecurity is Patient Safety’ a policy options paper, which outlines current cybersecurity threats facing healthcare providers. The policy paper, which was published in November 2022, also opens discussions on a series of policy solutions to improve cybersecurity across the industry.   

The document details how cyberattack in the healthcare sector have risen exponentially over the past ten years, with attacks on providers reaching an all-time high in 2021.  

“Over the past decade, the American public has witnessed increasingly brazen and disruptive attacks on its health care sector that jeopardize sensitive personal information, delay treatment, and ultimately lead to increased suffering and death. In 2021, cybersecurity attacks on health care providers reached an all-time high, with one study indicating that more than 45 million people were affected by such attacks in 2021 – a 32% increase over 2020.” 

Senator Warner has a history of crafting legislation that addresses the cybersecurity challenges facing the United States. In 2017, he co-authored the Internet of Things (IoT) Cybersecurity Improvement Act which was signed into law in December 2020. He also co-authored legislation that requires companies responsible for U.S. critical infrastructure to report cybersecurity incidents to the government. Again, this legislation was signed into law by President Joe Biden in March 2022 as part of the Consolidated Appropriations Act. 

Recently, Senator Warner and his staff engaged with numerous security researchers, business leaders, advocacy groups, and trade associations to gather input on the cybersecurity challenges facing the healthcare sector and potential solutions to these issues. This is what led to the document published in November 2020 – ‘Cybersecurity is Patient Safety’. 

Cybersecurity is Patient Safety 

The whitepaper, which argues that improving cybersecurity in the healthcare sector will require collaboration from both the public and private sectors, is divided into three parts.  

                  1. Chapter one covers areas that the federal government needs to address to improve our national risk posture when it comes to cybersecurity in the health care sector. 
                  2. Chapter two covers ways that the federal government can help the private sector meet this threat through a combination of potential mandates and voluntary incentives to adopt best practices. 
                  3. Chapter three covers policies that could help health care providers respond to attacks in the event of a cybersecurity failure.  

Chapter 1: Improving Federal Leadership and Our National Risk Posture  

“In order to understand whether any reforms are needed to the federal government’s health care cybersecurity prevention and response capabilities, one must first understand the current landscape of actors.” 

The whitepaper first introduces the various institutions that make up the healthcare cybersecurity ecosystem. 19 different organizations are listed including the FDA, FBI, CISO, NTIA, and NIST. The whitepaper emphasizes the point that in any effort to bolster national risk posture, all actors must be aligned. The mission of every health and public health actor must be to prioritize patient safety. 

This chapter then notes seven key challenges facing federal government agencies with jurisdiction over healthcare providers and cybersecurity. These include: 

                  1. Healthcare cybersecurity leadership within the federal government:  The document suggests improving federal leadership related to healthcare cybersecurity. This includes designating a U.S. Department of Health and Human Services (HHS) point person responsible for cybersecurity. It is suggested that this person should be empowered—both operationally and politically—to ensure HHS speaks with one voice regarding cybersecurity in healthcare. 
                  2. Protecting healthcare research and development from cyberattacks: The healthcare sector is one of the biggest investors in research and development (R&D) across the United States. This creates a large target for intellectual property and trade secret theft. To address this long-standing issue, the whitepaper proposes that the Department of Justice develops guidance for industry and academia on evaluating the potential economic impact, reputational damage, loss of intellectual property, and other cybersecurity risks for health care R&D, as well as recommendations on how to best combat these threats.  
                  3. Healthcare specific guidance from the National Institute of Standards and Technology: NIST released their ‘Framework for Improving Critical Infrastructure Cybersecurity’ in 2014. In 2022, NIST began the process of updating the Cybersecurity Framework. While the whitepaper commends the work done it suggests that a more detailed guidance for the healthcare industry is required. 
                  4. Modernizing HIPAA to address cyber threats. One proposal under consideration is mandating a regular process to modernize HIPAA regulations to address a broader scope of cybersecurity threats instead of just focusing on covered entities’ responsibility to protect a patient’s personal health information. 
                  5. Stark Law and Anti-Kickback Statute: The Anti-Kickback Statute and Stark Law are two laws that work to protect federal healthcare programs, such as Medicare, from waste, fraud, and abuse. The whitepaper suggests that the laws should be made clearer so it doesn’t prevent stakeholders in legitimate partnerships from working together on cybersecurity improvements that would protect the healthcare system. 
                  6. A workforce development program that focuses on healthcare cybersecurity. This is being proposed to address the long-standing shortage of cybersecurity professionals in the healthcare sector. 
                  7. Student loan forgiveness for service in rural areas. Again, this measure is suggested as a means of dealing with the persistent challenge of hiring and retaining cybersecurity professionals in the healthcare sector. 

Chapter 2: Improving Healthcare Providers’ Cybersecurity Capabilities Through Incentives & Requirements 

Chapter two of the whitepaper proposes the introduction of a baseline for healthcare cyber-hygiene practice to ensure patient health information. This section also proposes a number of solutions to help the most vulnerable healthcare delivery organizations meet their cybersecurity needs by introducing financial incentives and regulatory requirements. 

“Many healthcare organizations face resource constraints, and some organizations have argued that they cannot afford to retain inhouse information security personnel or dedicate an IT staff member primarily to cybersecurity. These organizations often lack the infrastructure to identify and track threats, the capacity to analyze and translate the threat data they receive into actionable information, and the capability to act on that information.”

Incentives and requirements introduced in this section include: 

                    • Incentive programs to phase out legacy equipment. Some have suggested that one model that could work is one that is based on the 2009 Car Allowance Rebate System or “cash for clunkers,” the federal program that helped take less fuel-efficient cars off the road. 
                    • Requiring SBOM publication for all software and devices used by the healthcare industry and having incentives to promote the adoption of SBOMs. Here, once again, SBOMS were cited as a key building block in software security and software supply chain risk management. 
                    • Streamlining information sharing. There are a number of requirements and recommendations for healthcare systems to share information related to security breaches and vulnerabilities, but it is often difficult to know where one is supposed to share relevant information. Some experts have suggested that Congress should act to increase membership in H-ISAC to facilitate maximum participation among industry. 

Chapter 3: Recovery from Cyber Attacks 

The final section notes ways institutions can recover following successful cyberattacks, and how to limit the resulting impact on patients and systems. 

The recovery solutions fell into five main areas: 

                    1. Cyber emergency preparedness: Questions raised in this area include whether “healthcare providers should be required to train all staff members within the healthcare system to use alternate or legacy systems in the event of catastrophic failure to connected systems?” and “should the FDA require medical devices to have a failsafe mode in the event of connectivity failure or other security incidents? 
                    2. Strategic national stockpile of common equipment: With regards to the stockpiling of common equipment, one proposal that is being considered is to augment the stockpile with common equipment needed by hospitals facing cyberattacks such as analog equivalent medical devices, laptops, walkie-talkies, and other mobile devices. 
                    3. Disaster relief program: To help hospitals and other healthcare organizations recover faster after a cyber disaster, one proposal is to establish a cyber disaster relief program that provides relief to victims of a cyberattack that is similar to assistance provided to victims of natural disasters.  
                    4. Safe harbor/immunity if healthcare organizations implement adequate security measures: In the whitepaper it is proposed that Congress should consider policies that encourage information sharing, including with patients, and encourage industry-wide learning and improvement by being encouraged to share vulnerabilities and responses. 
                    5. Cyber insurance: Insurance against damages from cyberattacks has increased in prominence, but such insurance is still relatively new compared to the long history of other forms of insurance. Questions raised in this regard include “should Congress create a reinsurance program or otherwise regulate cyber insurance?” and “what can Congress do to facilitate information sharing between the intelligence community and insurers?” 

Providing Feedback on ‘Cybersecurity is Patient Safety’ 

This policy options document was issued with the intent of soliciting feedback from stakeholders on the potential options described within it. Anyone that is interested in submitting comments, specific to the content and questions outlined in the document, should send a letter or an email to cyber@warner.senate.gov.   

The document can be read in full here

Photo Credit:
Photos by Annie Spratt on Unsplash