Boosting Healthcare Sector Cybersecurity: Essential StepsCongressional Panel Hears Testimony on Importance of Information Sharing
Cybersecurity in the healthcare sector, which remains inadequate, could be boosted with better threat information sharing as well as improved collaboration with federal agencies, several experts told a Congressional panel April 4.
The House Energy and Commerce Subcommittee on Oversight and Investigations convened the hearing, where Terence Rice, CISO at the pharmaceutical firm Merck & Co., testified that the overall state of cybersecurity in healthcare is likely much worse than the public and industry realize. "The total number of cybersecurity incidents is significantly underreported," he said.
"Today, organizations are only required to report cybersecurity incidents when personal health information is breached, the incident directly impacts patient safety or the loss of information or disruption of service would be considered a financially material event," he told the panel.
"Organizations are unlikely to report security incidents if not required to do so, given the potential reputational harm that might occur. The reports we read about are only a small fraction of the incidents that actually occur. Furthermore, the incidents that do get reported - for example breaches of personal health information - also create a narrow focus on privacy protections for personal health information instead of considering the full spectrum of impacts caused by healthcare cyber incidents."
At the hearing, members of the panel heard calls for boosting awareness of threat information sharing opportunities in the healthcare sector and offering incentives for participation.
Denise Anderson, president of the National Health Information Sharing and Analysis Center, testified about the group's efforts to help bolster cyber information sharing. Those efforts include the recent creation of a Medical Device Security Information Sharing Council that NH-ISAC formed with another industry group, the Medical Device Innovation Safety and Security Consortium, to help improve disclosure and communication related to medical device cybersecurity issues.
Anderson testified that many healthcare organizations, especially smaller physician group practices, are unaware that a healthcare ISAC exists. She argued that tax breaks or other incentives could help motivate more organizations to join an ISAC. In addition, she said having the National Institute of Standards and Technology recommend as a best practice that organizations join an ISAC for cyber information sharing could also boost membership.
"Government, and specifically the sector-specific agencies, should regularly and consistently encourage [organizations] ... especially at the board and CEO level to join their respective ISACs," she testified. "This has been very effective in the financial sector, where the U.S. Department of the Treasury, the regulators and state agencies have been strongly encouraging membership in the FS-ISAC as a best practice."
But Is It Affordable?
In response to one committee member's inquiry on whether the price point for NH-ISAC membership is too steep for some smaller healthcare entities to join, Anderson testified that NH-ISAC recently reduced its annual membership fee to $1,200. She also noted that the group recently offered a free 14-city ransomware mitigation road show that was co-hosted with the Multi-State ISCA.
Rice, who noted that Merck is an NH-ISAC participant, told members of Congress that gaining broader participation in the group, including by smaller organizations, would substantially efforts to boost healthcare sector cybersecurity.
Compared to some other sectors, such as the financial services industry, healthcare's ISAC is newer and has fewer members participating, he noted. NH-ISAC has about 200 members, versus 6,000 members of the Financial Services ISAC, he testified.
Anderson also testified that the confidential information shared among the members of an ISAC should be considered protected information and not subject to disclosure, even by court order.
"Recently, the Automotive ISAC was served a non-party deposition subpoena to furnish all documentation related to communications between the Auto ISAC and one of its members," she testified. "The Auto ISAC, with the help of other ISACs, was able to quash the subpoena with [the court] effectively ruling that the subpoena was nothing more than a fishing expedition."
If courts were to allow broad sweeps for information through ISACs, she testified, "such actions would effectively kill information sharing and undermine Congress' important information sharing goals set forth by the Cybersecurity Information Sharing Act of 2015 and the government's interest in promoting national security through the ISACs and public-private information sharing."
Some committee members asked what government agencies could do to facilitate more collaboration to improve cybersecurity in the healthcare sector.
Rice testified that the Department of Health and Human Services should appoint a senior cybersecurity professional as a liaison to the private sector.
"Today, the assistant secretary for preparedness and response has the responsibility for ensuring the healthcare sector is prepared to respond to a critical health emergency, such as a pandemic flu outbreak or the disruption of critical health infrastructure from a natural disaster as occurred in New Orleans during Hurricane Katrina. The Office of National Coordinator has a chief privacy officer who, along with the HHS Office of Civil Rights, works with the private sector on privacy policies and implements enforcement actions when necessary," he testified. "HHS also has a chief information security officer within the Office of the Chief Information Officer who is primarily responsible for protection of HHS systems and services. All four of these offices interact with the private sector but none of them have cybersecurity outreach as their primary mission."
A cybersecurity liaison would not supplant the efforts of the other officials, but instead focus on education and awareness of cybersecurity risks within the sector, Rice said.
Some agencies within HHS, including the Food and Drug Administration - have been increasingly active in efforts to improve cybersecurity, the witnesses noted.
For instance, Michael McNeil, global product security and services officer at medical device maker Royal Philips, pointed out that the FDA has been ramping up its efforts, including issuing pre- and post-market medical device cybersecurity guidance, as well as participating in workshops aimed at building industry awareness of cybersecurity concerns.
"The FDA has done outreach to get stakeholders together," he said.
Still, when it comes to awareness of the cybersecurity risks faced by the healthcare sector - and communication about those problems, McNeil testified he'd like to see "10-fold growth immediately."