Governance & Risk Management , Healthcare , Industry Specific

Healthcare Leaders Call for Cybersecurity Standards

Also: Please Help the Sector Pay for Cybersecurity, Execs Tell Senate Panel
Healthcare Leaders Call for Cybersecurity Standards
Witnesses being sworn in at Senate panel on healthcare cybersecurity Thursday (Image: U.S. Senate)

Healthcare industry representatives called on Congress to ensure minimum cybersecurity standards for their industry, saying that a wholly voluntary approach is failing clinics and hospitals.

See Also: Frost Radar™ on Healthcare IoT Security in the United States

There is no shortage of best practices documents, said Stirling Martin, chief privacy and security officer at electronic health records giant Epic Systems, while testifying Thursday before a Senate panel.

Sifting through all of them and setting priorities is not an easy task, he told the Senate Homeland Security and Governmental Affairs Committee.

"One of the things that government can do to help is establish a minimum threshold for security best practices," said Martin.

Cybersecurity gaps are widest at small rural hospitals, testified Kate Pierce, who served for 21 years as CIO and CISO at North County Hospital, a 25-bed community hospital in Vermont.

Staff at rural hospitals is scarce and stretched thin, she said, and they wear multiple hats and juggle many duties. It is extremely rare to find any individuals who are specifically assigned to handle security at those facilities, said Pierce, who is currently an executive at Fortified Health Security.

Implementing security best practices that are only "recommendations" and contained in voluntary guidance is simply not on the radar of such under-resourced hospitals, which are also contending with a barrage of other major challenges, she testified.

"Without minimum standards, these facilities will not prioritize cybersecurity over the seemingly more pressing needs in currently strained budgets," Pierce said.

"But don't forget - we also need to provide them the ability to implement the security measures," she told the panel.

Changes to federal anti-kickback regulations allowing large hospitals to donate cybersecurity technology and services to smaller entities have had little impact on helping the have-nots, Pierce said. "There's been little traction," she says (see: HHS Rule Changes Allow for Cybersecurity Donations).

The healthcare industry needs help from the federal government to respond more effectively to the increasing frequency of attacks from nation-state actors and organized crime groups, testified Scott Dresen, CISO of Corewell Health, the largest integrated health system in Michigan.

"The U.S. government has actionable intelligence that would be of immediate value to the healthcare sector. While there is some degree of automated intelligence sharing, we need to make more of that intelligence accessible," he said.

Financial support to help organizations get involved with the Health Information Sharing and Analysis Center or other information-sharing organizations - "if it’s a cost-matching subsidy" - would also benefit many entities that don't currently participate in intelligence sharing, said Greg Garcia, executive director of cybersecurity for the Health Sector Coordinating Council.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.