WASHINGTON — Small rural hospitals want extra monetary assist from the federal authorities if they’re to pay extra consideration to cybersecurity, Kate Pierce mentioned Thursday at a Senate Homeland Safety and Governmental Affairs Committee listening to on cybersecurity in healthcare.
“Our rural hospitals are going through unprecedented funds constraints, with as much as 30% or extra within the pink,” mentioned Pierce, who’s senior digital data safety officer with Fortified Well being Safety and former chief data officer at North Nation Hospital, in Newport, Vermont. “With the [COVID-19] public well being emergency scheduled to finish in Might, many hospitals anticipate an increase in free care, with as many as 15 million Medicaid sufferers projected to lose protection.”
In that atmosphere, “cybersecurity packages proceed to lag behind, with budgeted safety spending directed to cowl higher-priority bills,” she mentioned. “These small hospitals wrestle to make use of and retain expert cybersecurity professionals, usually with little to no workers solely devoted to safety … We can’t depart our small and rural hospitals behind. Funding alternatives should be made out there to those hospitals.”
The issue of cybersecurity breaches is a widespread one, burdened committee member Sen. Alex Padilla (D-Calif.), who mentioned that in line with Division of Well being and Human Companies (HHS) information he checked out, “as of yesterday morning, there have been 63 totally different California-based breaches of unsecured protected well being data underneath investigation, affecting over 90 million individuals. That is greater than two instances the state’s inhabitants. So this nationwide scale of the issue is alarming.”
He requested Stirling Martin, chief privateness and safety officer at Epic Programs, a well being data expertise agency in Verona, Wisconsin, why well being data particularly was so helpful for individuals who tried to steal it. “A part of what makes healthcare information [such as birth dates and Social Security numbers] so delicate is that it does not change; it is not one thing that may be reset or modified like a password or bank card quantity,” mentioned Martin. “So as soon as it falls into a foul actor’s palms, that data can be utilized in perpetuity for future crimes, whether or not that is identification theft or blackmail.”
Along with extra funding for cybersecurity, Pierce additionally referred to as for extra regulation of hospitals in relation to their cybersecurity requirements. “We should transfer past steering and suggestions and create minimal requirements for cybersecurity,” she mentioned. “These requirements should be cheap, achievable, and frequently evolving as cybersecurity necessities change.”
Having requirements to fulfill — and the funding to fulfill them — would drive hospitals to place cybersecurity greater on their precedence record, Pierce mentioned in response to a query from Sen. Maggie Hassan (D-N.H.).
Pierce mentioned she’s labored with a whole lot of small hospitals throughout the nation, “and invariably, they’re at a state the place ‘there’s completely no safety program’ to ‘it’s totally minimal.'”
“Everyone seems to be now conscious of the place their dangers are, however they’re selecting to simply accept these dangers principally for monetary causes as a result of they can not afford personnel to deal with these dangers,” she added. “We have to additionally present them the power to truly implement their safety measures.”
A associated downside, witnesses mentioned, is that there’s nearly an excessive amount of steering to select from. “There isn’t any scarcity of suggestions and steering and issues that organizations may very well be or needs to be doing,” mentioned Martin. “The problem we see is taking inventory of all of these totally different sources and deciding what to truly do, given all these totally different inputs … One of many key issues that the federal authorities can do to assist can be to ascertain a minimal threshold for safety greatest practices. Having that minimal threshold can be extremely useful for organizations.”
Greg Garcia, govt director for cybersecurity on the Healthcare and Public Well being Sector Coordinating Council, agreed. He famous that the federal authorities and healthcare organizations will quickly problem Well being Trade Cybersecurity Practices (HICP) 2023. “This can be a set of greatest practices which can be minimal safety practices that every one well being methods needs to be implementing,” Garcia mentioned. “And people are developed by the sector for the sector, and collectively with HHS. There’s a glut of ‘safety greatest practices’ on the market. We have to choose one, as a result of there’s a whole lot of confusion. We advocate that the HICP might be the very best effort at a joint authorities/trade publication supplied freely, accessible to all well being methods, and CISA [the federal Cybersecurity and Infrastructure Security Agency] must comply with and push that together with us.”
The federal government additionally wants to enhance coordination among the many numerous entities accountable for cybersecurity, mentioned Garcia. “It is commendable that CISA, in its function because the nationwide coordinator for vital infrastructure safety, has directed extra of its consideration to healthcare cybersecurity, however that degree of consideration must be triangulated amongst HHS because the sector lead, CISA because the technical help, and trade because the homeowners and operators,” he mentioned. “That obligatory relationship is enhancing, and we’re glad for that, however extra enchancment may be performed.”
As for what organizations themselves can do, “we have to do a tradition change,” Garcia mentioned. “For so long as I have been in cybersecurity, everybody outdoors of the safety group says, ‘Cybersecurity — that is the safety group’s job, not my job; I am the CIO, I am the CEO, I am in administration.’ No, it is really all people’s job, proper all the way down to the clinician. Certainly, one of many greatest threats in cybersecurity usually is the frontline person — anyone who’s touching a keyboard, or a pill, or a cellphone or any sort of medical expertise.”
Scott Dresen, senior vp for data safety at Corewell Well being, a healthcare supplier based mostly in Michigan, urged senators to not be too punitive towards suppliers who cannot meet cybersecurity necessities. “We perceive and help the legislative intent to encourage adoption of greatest practices and the implementation of acceptable protections to safeguard our information,” he mentioned. “Nonetheless, penalizing victims of cyberattack when defensive measures cannot sustain with the sophistication of attackers shouldn’t be the honest method.”