Groups Urge Biden, Congress to Bolster Health Sector CyberWant More Funding, Attention, Support for Healthcare Security
As the federal government hammers out national infrastructure legislation, implements President Biden's recent cybersecurity executive order and adopts other related initiatives, more attention and funding needs to be allocated to strengthen the healthcare sector's cybersecurity posture and resilience, some industry groups urge.
In a letter Wednesday addressed to Biden, but also copied and sent to Senate and House party leaders, the Healthcare and Public Health Sector Coordinating Council requested heightened collaboration between industry and government to provide a road map for driving improvements to the cybersecurity readiness of the healthcare sector.
HSCC, a private-sector critical infrastructure advisory council to the Department of Health and Human Services created by Presidential Policy Directive 21 in 2013 during the Obama administration, represents more than 300 healthcare sector organizations, including patient care delivery networks, health plans, laboratories and health IT vendors.
Healthcare Sector Overlooked
While HSCC writes that it was pleased to see the recently enacted American Rescue Plan direct $650 million to the Department of Homeland Security's Cybersecurity Infrastructure and Security Agency for cybersecurity risk mitigation programs, none of the funding is directly targeted to help the healthcare sector, HSCC notes (see Modernization Grants Will Prioritize Cybersecurity).
"In assessing how the American Rescue Plan, coupled with the recently released Executive Order on Improving the Nation's Cybersecurity, can measurably strengthen the security and resiliency of the healthcare system and patient safety, we request an enhanced strategic planning process within the administration that will complement the ongoing cybersecurity partnership between the HSCC, the Department of Health and Human Services and other essential government partners," the letter says.
Greg Garcia, HSCC executive director, tells Information Security Media Group that HHS, as the healthcare's sector risk management agency, "is under-resourced to support and complement industry and CISA efforts in health sector cybersecurity risk management and response."
Meanwhile, a strong understanding or intense interest in the dire cyber challenges facing the healthcare sector is also apparently lacking in some corners of Congress, he says.
For instance, on Wednesday during a Senate committee confirmation hearing for Dawn O'Connell, Biden's nominee for HHS assistant secretary for preparedness and response, or ASPR - which is the office responsible for engaging with the health sector on matters of critical infrastructure preparedness and emergency response - "I heard no questions from the committee members to the nominee about cybersecurity," he notes.
"So, while our partnerships with HHS and DHS are maturing and providing benefit to the sector, we’re asking for a booster shot. We need joint development of a strategic plan for healthcare cybersecurity as a critical infrastructure imperative," he says.
The healthcare industry faces relentless cybersecurity threats that have grown in magnitude and complexity year after year, Garcia says. For instance, in recent months and weeks, many hospitals large and small have been hit with ransomware attacks and other cyberattacks disrupting the delivery of patient care and affecting access to patient records. (see: Security Incident Leads Scripps Health to Postpone Patient Care.)
In fact, a recent study by security firm Bitglass found a 55% surge in cyber incidents against the healthcare sector in 2020, HSCC notes in its letter to Biden.
"Our members are under constant attack by increasingly sophisticated criminals many of whom are adversary nation-states," Mari Savickis, vice president of public policy at the College of Healthcare Information Management Executives, or CHIME, which represents healthcare CISOs and CIOs, tells ISMG.
"Cybersecurity threats in healthcare pose real threats to patient safety - bottom line. Healthcare providers - even those who are larger with more evolved cybersecurity programs - need help," she says.
On the legislative front, CHIME and its members are satisfied with a bill that was signed into law in January that requires HHS to consider the security practices implemented by covered entities and business associates before making determinations about fines for HIPAA security rule violations, she notes (see: Bill Spells Out New Factors to Weigh in Setting HIPAA Fines).
"While we are awaiting HHS to promulgate rules, we are very pleased that it calls on HHS to give healthcare providers credit for following recognized security practices to fend off cyberattacks," she says.
But other legislative measures to help the healthcare sector bolster its cybersecurity posture are badly needed, she adds.
For instance, CHIME is supportive of "incentives" that would help "lesser-resourced providers, such as smaller healthcare entities, replace vulnerable legacy devices that are no longer supported by manufacturers, Savickis says.
More Help for HHS
Additional financial resources are needed for critical groups within HHS - including ASPR and the Health Sector Cybersecurity Coordination Center, or HC3 - that help support the healthcare sector at large in its cybersecurity efforts, Savickis says.
"Not only do we want to see more funding for HHS ASPR - the arm that responds to emergencies - but we also want to see more funding for HC3," she says.
"They are a national asset and have the potential to do so much more, but they need a dedicated funding stream."
HHS created HC3 to help identify, correlate and communicate cybersecurity information across the healthcare and public health sector and within HHS and its government partners, according to Savickis.
HC3 "also facilitate access to knowledge-based resources necessary to support robust cybersecurity programs and mitigate damage in security breach situations," she says.
"However, HC3 is under-resourced and staffed largely by contractors. With additional funding, HC3 could better support the health sector, including critical infrastructure guidance and expertise, research and planning, exercises and, importantly, in crisis response."
As far as the Biden executive order is concerned, although comprehensive, "most of the direction is aimed inward at strengthening the federal government’s own systems," rather than helping the healthcare sector bolster its cybersecurity, Savickis says.