Groups Offer Ideas for Improving Healthcare CybersecurityRecommendations Made in Response to Request by Sen. Mark Warner
Several industry groups have offered suggestions - ranging from better cyber information sharing to new regulatory "safe harbors" for entities complying with best practices - to Sen. Mark Warner, D-Va., in response to his recent request for input on how the healthcare sector can improve its cybersecurity posture.
Warner in February sent letters to four federal agencies and 12 healthcare associations posing long lists of questions as a prelude to developing short-term and long-term strategies for improving healthcare cybersecurity (see: Sen. Warner Demands Answers on Healthcare Cybersecurity).
A Warner spokeswoman did not specifically answer an Information Security Media Group inquiry about how many groups and agencies responded to the senator's request by the deadline. But she says the responses received have been helpful.
"Our staff has already received productive responses and has met with stakeholders in response to the request for information and will continue to over the course of the next few weeks," she says.
Warner's office is not releasing the responses, although some of the groups that submitted comments have released them on their own or have shared their comments directly with ISMG.
More Cyber Information Sharing
The Health Information Sharing and Analysis Center not only responded to the letter but also recently met with Warner's staff. Also involved in the meeting were representatives of the Cyber Working Group of the Health Sector Coordinating Council, H-ISAC president Denise Anderson tells ISMG.
"We recommended that government can help by encouraging the adoption of cybersecurity best practices, she says. That includes multifactor authentication, full disk encryption, least privilege access, network segmentation, regular patching, employee education and awareness, information sharing and the use of DMARC - the Domain-based Message Authentication, Reporting & Conformance standard, she explains.
"To encourage information sharing, which has proven to be an effective tool in combating cybersecurity threats, vulnerabilities and incidents, we recommended government, and specifically HHS and DHS, should regularly and consistently encourage owner/operators, especially at the board and CEO level, to join the Health ISAC as a best practice," Anderson adds.
In its response to Warner, the Advance Medical Technology Association, which represents medical device makers and other health IT vendors, noted that it will soon establish the MedTech Information Sharing and Analysis Organization.
"ISAOs allow communities of interest to share cybersecurity-related information with each other and can provide timely cybersecurity information otherwise unavailable to a specific company that might prevent, or at least identify, compromises, reveal potential vulnerabilities, and promote useful system modifications, threat reduction and cost savings," AvaMed wrote.
"Once operational, the AdvaMed MedTech ISAO will permit its participants to actively and rapidly share information relating to cybersecurity threats, vulnerabilities, incidents and mitigations in a safe and secure environment."
Hospital Association Recommendations
The American Hospital Association offered several suggestions to Warner for ways the healthcare sector can bolster cybersecurity.
AHA noted it supports a number of recommendations that were included in a report issued earlier this year by the Healthcare and Public Health Sector Coordinating Council, which also built on a set of earlier recommendations included in a 2017 report issued by the Department of Health and Human Services' HHS cyber task force (see HHS Publishes Guide to Cybersecurity Best Practices).
"We urge the HHS Office of Civil Rights to consider ways to develop a safe harbor for HIPAA covered entities that have shown, perhaps through a certification process, that they are in compliance with best practices in cybersecurity."
—American Hospital Association
In particular, AHA says it supports increasing the focus on the security and resilience of medical devices - especially legacy devices - as well as efforts to develop the healthcare cybersecurity workforce capacity.
But the AHA is also hoping that regulators will refocus their enforcement activities.
"We urge the HHS Office of Civil Rights to consider ways to develop a safe harbor for HIPAA covered entities that have shown, perhaps through a certification process, that they are in compliance with best practices in cybersecurity. ... A safe harbor would give covered entities clarity about the level of diligence they need to exercise, including when they agree to share and exchange protected health information with other systems/organizations through tools like health information exchanges, to avoid OCR enforcement when an attacker gains access," AHA wrote.
In addition, the AHA said that it supports devoting federal resources to developing and disseminating coordinated national defensive measures, both within government and the private sector; identifying and disrupting bad actors through law enforcement activities; increasing the consequences for those who commit cybercrimes; and identifying and supporting best practices by the private sector.
In its response to Warner, the American Medical Association emphasized four major points:
- Cybersecurity is a patient safety issue.
- Cyberattacks are inevitable and increasing.
- Physicians are interested in receiving tools and resources to assist them in their cybersecurity efforts.
- The increased focus on electronic health information exchange is "putting the entire health care ecosystem at risk."
The AMA wrote that technology has increased connectivity and collaboration in all facets of the healthcare delivery system. But the association noted that its members are concerned about how to securely share health information.
"This integration is increasingly important as the industry moves toward value-based care and provides more care outside the four walls of a bricks-and-mortar health care practice," AMA wrote.
Bill of Materials
The AMA also called for health IT vendors and medical device makers to offer more transparency about the cybersecurity of their products. That includes providing a bill of materials with their products.
A software bill of materials includes a list of components, such as equipment and software, in a given product and any known risks associated with those components "to enable healthcare providers to more quickly determine if they are impacted by a cybersecurity threat," the AMA said.
Other groups also noted in their responses to Warner the importance of having vendors provide a bill of materials for their products.
AdvaMed wrote that numerous industry associations and stakeholders are working to develop a standard format for a software bill of materials through a multistakeholder effort that is being led by the U.S. National Telecommunications Industry Association. Meanwhile, a revised Manufacturer Disclosure Statement for Medical Device Security standard is being developed by the Medical Imaging & Technology Alliance.
The Food and Drug Administration, in its latest draft update to its pre-market medical device cybersecurity guidance, also calls for manufacturers to provide a cybersecurity bill of materials with their products (see: FDA Calls for Cybersecurity Bill of Materials for Devices).