Healthcare Cybersecurity: Some Progress, Still ProblemsAssessing the Sector's Cybersecurity Advances Over the Last 5 Years
"The job's not done yet" was a key takeaway from a White House roundtable this week marking the fifth anniversary of a task force's urgent recommendations for improving healthcare cybersecurity.
Biden administration officials, cybersecurity experts and industry leaders met in Washington for a briefing and roundtable discussion to take stock of developments since the June 2017 "Report on Improving Cybersecurity in the Health Care Industry," warned that healthcare cybersecurity "is in critical condition."
The report contained dozens of recommendations developed with input from the Department of Health and Human Services and security experts from the public and private sectors.
Some experts, including individuals who worked on the 2017 report, tell Information Security Media Group the healthcare sector has since made improvements.
But the sector - especially during the coronavirus pandemic - has in many ways slipped into a weaker cybersecurity position, says at least one member of the original report task force.
"We saw hundreds of healthcare delivery organizations disrupted by ransomware attacks," says Josh Corman, who earlier this year ended an 18-month stint as healthcare sector chief strategist at the Cybersecurity and Infrastructure Security Agency on matters relating to coronavirus and public safety.
The 2017 report was a requirement of the Cybersecurity Information Sharing Act of 2015 (see: Analysis: Are HHS' Cybersecurity Recommendations Achievable?).
Among those attending this week's event celebrating the report's wooden anniversary were members of the Health Sector Coordinating Council's Cybersecurity Working Group Executive Committee, says Erik Decker, CISO of Intermountain Health and the committee's chair.
Attendees "committed to continuing to evaluate the 2017 report, determine areas where it could be updated, and align around establishing a system whereby 'you must beat all of us to beat one of us,'" he says.
Another member of the HHS cyber task group, former healthcare CIO David Finn, who did not attend the White House meeting, told ISMG he has a mixed assessment about the past five years of cybersecurity efforts.
"There has been much progress in the sector around security since the report was issued, less because it was embraced and acted on by Congress than by the fact that it galvanized the sector to an amazing degree," says Finn, who is now vice president of the education and networking associations within the College of Healthcare Information Management Executives, a healthcare CIO and CISO professional organization.
Neither HHS nor CISA immediately responded to Information Security Media Group's request for comment about the meeting and for additional details about what was discussed.
More Attention Needed
The need for continued attention to industry cybersecurity practices is self-evident. For instance, during the ongoing pandemic, the sector has been dealing with record-high patient caseloads and the fast adoption of less-vetted technologies for telework and telehealth, while at the same time dealing with record-low staffing and resources - all while dealing with record-high volumes of attacks by adversaries to disrupt and delay patient care.
Healthcare organizations unable to offer their more mainstream, higher-margin patient services during the pandemic - such as elective surgeries and non-urgent care not related to the coronavirus - suffered financially, resulting in further cuts to areas including security, Corman tells ISMG.
The ongoing divide between large organizations that nonetheless possess more resources than their smaller counterparts also remains a concern, says Decker.
"We are concerned about the 'haves' and the 'have nots'; specifically the smaller organizations that are at risk but do not have the resources to combat the cyberthreats we face," he says. "This is front and center as we push forward with our efforts."
One thing HHS could do to improve matters is finally release an official cyber incident response plan for the sector, says Corman.
Among the task force's 2017 recommendations was for HHS to identify critical incident response plans for use by healthcare sector. "HHS from an incident response perspective, was unprepared for what we faced during the pandemic," he says.
A White House readout of the meeting reports that Andrea Palm, HHS deputy secretary, told participants the department is working to finalize incident response guidance.
Another ongoing challenge is the industry's stubborn perception that cybersecurity resides in its own bubble and does not factor into the delivery quality patient care, says Finn.
"Cybersecurity is still thought of as an IT and security 'problem.' While we are making progress in this area, the sector has been slow to recognize that this is a question of enterprise risk," he says. "Security doesn’t understand or suffer the impacts of an attack. Clinical care and quality of care suffers."
The task force report addressed related governance issues, and while many of those recommendations have been addressed by government entities, "we don’t see that same focus at individual providers or business associates," he says.
Areas of Progress
Some task force members say the healthcare sector has notched some achievements such as generally higher levels of awareness and attention.
Perhaps the most progress relates to medical device security and internet of things medical technology, says Finn. "The task force report shined a bright light on the scope of the problem and the multitude of unique needs and issues. It shifted focus to a very neglected area - many people thought security for medical devices back then was a joke."
Device makers, hospital administrators, clinicians, biomedical engineers and IT and security people understood they would have to work together, while the Food and Drug Administration in particular provided more detailed cybersecurity guidance, he says. "The mission is not complete, but it is getting the kind of attention it needs."
HHS has made an effort to find deeper collaboration with the healthcare sector on matters involving cybersecurity. For instance, in 2020, HHS launched the Health Sector Cybersecurity Coordination Center. The center is charged with leading HHS' sharing of cybersecurity information, including mitigation resources. It frequently distributes educational materials as well as advisories related to latest threats.
Corman says that in the last five years, among the most notable developments is the acknowledgement by healthcare, as well as the federal government, of the importance of a software bills of materials.
President Joe Biden's 2021 executive order on cybersecurity mandated SBOMs for products sold to federal agencies by contractors. But even before that, some within the government and healthcare sectors have been touting the importance of SBOMs for several years, Corman says.
Most notably that includes the FDA, which recommended "cybersecurity bills of materials" for medical devices in premarket draft guidance issued in 2016, and then tweaked that to SBOMs in updated draft guidance released in April, he says (see: FDA Document Details Cyber Expectations for Device Makers).
Another major advancement spotlighted by Corman is changes to the federal physician self-referral regulations to help smaller, under-resourced healthcare providers.
The HHS modifications to the Stark Law allow larger hospitals and healthcare delivery systems to donate cybersecurity software, hardware and services to smaller affiliated clinics and physician practices without violating federal anti-kickback laws (see: HHS Rule Changes Allow For Cybersecurity Donations).