Governance & Risk Management , Healthcare , Industry Specific
Healthcare Leaders Call for Cybersecurity StandardsAlso: Please Help the Sector Pay for Cybersecurity, Execs Tell Senate Panel
Healthcare industry representatives called on Congress to ensure minimum cybersecurity standards for their industry, saying that a wholly voluntary approach is failing clinics and hospitals.
See Also: Live Webinar | Leveraging Automation to Reduce Third Party and Supply Chain Risk in Healthcare
There is no shortage of best practices documents, said Stirling Martin, chief privacy and security officer at electronic health records giant Epic Systems, while testifying Thursday before a Senate panel.
Sifting through all of them and setting priorities is not an easy task, he told the Senate Homeland Security and Governmental Affairs Committee.
"One of the things that government can do to help is establish a minimum threshold for security best practices," said Martin.
Cybersecurity gaps are widest at small rural hospitals, testified Kate Pierce, who served for 21 years as CIO and CISO at North County Hospital, a 25-bed community hospital in Vermont.
Staff at rural hospitals is scarce and stretched thin, she said, and they wear multiple hats and juggle many duties. It is extremely rare to find any individuals who are specifically assigned to handle security at those facilities, said Pierce, who is currently an executive at Fortified Health Security.
Implementing security best practices that are only "recommendations" and contained in voluntary guidance is simply not on the radar of such under-resourced hospitals, which are also contending with a barrage of other major challenges, she testified.
"Without minimum standards, these facilities will not prioritize cybersecurity over the seemingly more pressing needs in currently strained budgets," Pierce said.
"But don't forget - we also need to provide them the ability to implement the security measures," she told the panel.
Changes to federal anti-kickback regulations allowing large hospitals to donate cybersecurity technology and services to smaller entities have had little impact on helping the have-nots, Pierce said. "There's been little traction," she says (see: HHS Rule Changes Allow for Cybersecurity Donations).
The healthcare industry needs help from the federal government to respond more effectively to the increasing frequency of attacks from nation-state actors and organized crime groups, testified Scott Dresen, CISO of Corewell Health, the largest integrated health system in Michigan.
"The U.S. government has actionable intelligence that would be of immediate value to the healthcare sector. While there is some degree of automated intelligence sharing, we need to make more of that intelligence accessible," he said.
Financial support to help organizations get involved with the Health Information Sharing and Analysis Center or other information-sharing organizations - "if it’s a cost-matching subsidy" - would also benefit many entities that don't currently participate in intelligence sharing, said Greg Garcia, executive director of cybersecurity for the Health Sector Coordinating Council.