Industry groups seek cybersecurity safe harbor
- The Institute for Critical Infrastructure Technology released a report Tuesday summarizing strategies hospital, device companies and other industry groups back to reduce cybersecurity vulnerabilities.
- The think tank analyzed comments from the American Hospital Association and six other health groups in response Sen. Mark Warner, the top Democrat on the Senate Intelligence Committee, who wrote to 12 healthcare groups and four federal agencies seeking input on the state of industry security.
- Common themes that emerged include the need to collaborate among stakeholders, need for a national strategy on cybersecurity and availability of a "safe harbor" for HIPAA-covered entities that are breached despite adherence to best practices for cybersecurity.
A report by cybersecurity firm Bitglass found that while the number of reported healthcare breaches dropped slightly from 294 in 2017 to 290 last year, the number of records breached more than doubled — from 4.7 million to 11.5 million.
Breached organizations face loss of revenue from service interruptions, ransom costs to unlock encrypted systems, hefty HIPAA fines for compromised records and damage to their brand image, potentially affecting patient volume.
Despite some progress, EHR vulnerabilities and underfunding for cybersecurity continue to put many hospitals and other organizations at risk, oftentimes from their own employees.
Cybersecurity, privacy and security topped healthcare executives' concerns in a recent HIMSS survey, ranking 5.69 on a seven-point scale with providers and 5.38 with vendors.
In addition to AHA, organizations providing feedback to Warner included medical device industry association AdvaMed, the American Medical Association, the College of Healthcare Information Management Executives, the Healthcare Leadership Council, HITRUST and the Virginia Hospital and Healthcare Association.
Among the key takeaways is the need for collaboration between government and industry stakeholders and cybersecurity experts.
"Threat sharing initiatives allow for stronger data protection and more importantly, for proactive deterrence options instead of reactive remediation efforts, the ICIT report says. "Collaboration between key stakeholders improves detection and response efforts, but it also prevents pass-through and supply chain attacks."
To encourage adoption of proactive security policies and controls, AdvaMed encourages members to follow a set of five cybersecurity principles for best practices in managing risk with connected medical devices.
CHIME raised concerns about device companies having access to patient information without having signed HIPAA agreements with providers, as well as lack of real-time awareness of vulnerabilities and patch information.
Along those lines, organizations also cited the challenges of securing ever-larger interconnected networks. "To mitigate the increasing risk, healthcare organizations must begin to limit access and connection based on need rather than convenience, implement comprehensive layered security controls, and institute air gaps, jump boxes, and network segmentation wherever possible," according to the report.
Organizations also voiced support for a national strategy and federal guidance on cybersecurity in healthcare, including recommendations on assessing threats from inside an organization. And they urged regulators to provide incentives for good cyber controls rather than just penalizing infractions.
In its response, the AMA urged lawmakers and the administration to "permit 'multiple paths to compliance' with HIPAA's Security Rule," such as recognizing entities that implement the National Institute of Standards and Technology's cybersecurity standards framework as being in compliance with the rule.
On the issue of safe harbors, several groups, including AHA, CHIME, HITRUST and HLC, said offering protection from enforcement actions for security-conscious entities that are nevertheless breached would incentivize organizations to invest more heavily in security controls. To qualify, organizations would need to show compliance with cybersecurity best practices, perhaps via a certification process, AHA suggested.
"A safe harbor would give covered entities clarity about the level of diligence they need to exercise, including when they agree to share and exchange protected health information with other systems/organizations through tools like health information exchanges, to avoid OCR enforcement when an attacker gains access," AHA added.
In line with the call for a safe harbor, organizations urged Congress to direct HHS to develop a certification program an issue guidance providing baseline security safeguards aligned with the NIST cybersecurity framework.
- Institute for Critical Infrastructure Technology An Analysis of Responses To Senator Warner’s Health Sector Cybersecurity Inquiries