Analysis
Attacks and Vulnerabilities
Critical infrastructure
Medical
News
Supply Chain Security
Technology & Solutions
The Skills Gap - Training & Development
Threat Landscape
Vulnerabilities

AHA responds to Senator Warner on cybersecurity policy options in healthcare sector

December 07, 2022
AHA responds to Senator Warner on cybersecurity policy options in healthcare sector

The American Hospital Association (AHA) recently provided feedback on the cybersecurity policy proposals released in a policy paper by U.S. Senator Mark Warner last month. The association was responding on behalf of its nearly 5,000 member hospitals, health systems, and other healthcare organizations, clinician partners including over 270,000 affiliated physicians, 2 million nurses and other caregivers, and the 43,000 healthcare leaders who belong to professional membership groups. 

“Cybersecurity is, at its core, a necessary element of patient safety for hospitals and health systems. We appreciate the opportunity to provide comments and work with you to continue to improve cybersecurity in the healthcare field,” Stacey Hughes, executive vice president for government relations and public policy at the AHA, wrote in a recent letter. “Hospital and health system leaders recognize the information and resources held by health care organizations are highly sensitive and valuable and are taking cybersecurity challenges extremely seriously. They have implemented important security steps to safeguard clinical technologies and information systems while they continue to enhance their data protection capabilities.”

Hughes added that hospitals and health systems have made great strides to defend their networks, secure patient data, preserve the efficient delivery of healthcare services and, most importantly, protect patient safety.

In the letter addressed to the senator, Hughes addressed a host of issues, including improving federal leadership and national risk posture, and enhancing healthcare providers’ cybersecurity capabilities using incentives and requirements, She also touched upon recovery from cyberattacks across the healthcare sector. 

“AHA has supported the Healthcare Cybersecurity Act (S.3904/H.R.8806). This legislation would improve collaboration and coordination between CISA and HHS, along with supporting educational opportunities for providers. The bill authorizes cybersecurity training for the Healthcare and Public Health (HPH) sector,” Hughes wrote. “We appreciate that the bill calls for an analysis of cybersecurity risks to the HPH sector with a focus on impacts to rural hospitals, vulnerabilities of medical devices, and cybersecurity workforce shortages, among other important issues.” 

Hughes added that the AHA also supports the development of coordinated national defensive measures, an expansion of the cybersecurity workforce, disruption of bad actors that target U.S. critical infrastructure, and the utilization of a ‘whole of government’ approach to increasing risk and consequences for those who commit attacks.

AHA supports maintaining the HHS 405(d) program, which was created under the Cybersecurity Act of 2015, Hughes wrote, adding that the group has been active and has broad support across the healthcare field. “Additional agencies including the Federal Bureau of Investigation (FBI) and CISA should engage through their respective private sector outreach programs. Many organizations have implemented the 405(d) developed, voluntary consensus-based cyber practices known as the Healthcare Industry Cybersecurity Practices (HICP), which shows the efficacy of the group. This work should be more fully supported through additional funding and resources,” she added.

“In addition, the AHA, in partnership with the FBI, has raised awareness with members regarding China’s efforts to acquire medical research and IP through both legitimate business and research relationships and through illegitimate means, such as theft, diversion and compromise,” Hughes said. 

AHA also recommends financial incentives and qualifying grants be made available to health care providers to implement the cybersecurity technology and best practices outlined in the NIST guidelines and the HICP, Hughes said. The association also supports addressing both privacy and security through a single regulatory framework, as is currently done under the Health Insurance Portability and Accountability Act (HIPAA) which governs the protection of patient health information. These issues are integrally related, so utilizing a separate regulatory framework would be problematic.

Hughes also highlighted in her letter to the senator that AHA supports ensuring there are appropriate minimum cyber hygiene practices. While the medicare conditions of participation (COPs) and conditions of coverage (COCs) set forth criteria intended to keep patients safe and to ensure the delivery of high-quality care, they are not the ideal place for monitoring minimum cybersecurity practices for several reasons. 

Addressing insecure legacy systems and Software Bill of Materials (SBOMs), Hughes wrote that manufacturers must support end-users in providing a secure environment for safe patient care. The support should include wrapping security precautions around these devices, adding security tools and auditing capabilities where possible, conducting regular updates and patching all software, and communicating security vulnerabilities quickly through consistent channels. 

Hughes also wrote that the AHA suggests financial incentives be provided to smaller healthcare entities to develop the resources to digest cyber threat intelligence, identify indicators of compromise, and apply recommended technical measures. “We would also recommend financial incentives and support for non-profit cyber threat information sharing organizations such as the Health-ISAC and supporting cyber threat information sharing organizations such as the AHA, which have broad reach and strategic value for the healthcare field,” she added.

Although AHA supports efforts to improve cybersecurity practices throughout the healthcare field, “we recommend the approach not be punitive, such as revisions to the CMS Emergency Preparedness CoPs. Instead, AHA would encourage pursuing a voluntary incentivized approach to improve cybersecurity standards,” according to Hughes.

The AHA has worked closely with the HHS Health Sector Coordinating Council (HSCC) and the HHS Risk Office on the development and promotion of the HICP, which are voluntary guidelines, Hughes wrote. AHA engages heavily on issues regarding cybersecurity through the vast subject matter expert pool of the HPH 405(d) Task Group, especially when a threat with broad sector impact is identified.

Although all healthcare organizations should employ robust systems and practices to protect against cyberattacks, it would be dangerous and counterproductive to patient safety and to the financial viability of hospitals to prevent access to SNS resources in such a punitive manner, especially since hospitals are considered to be critical infrastructure for the nation, Hughes assessed. 

“AHA has been supportive of a safe harbor for health care organizations that implement recognized security measures,” she wrote. “The safe harbor could be constructed in a way that encourages health care organizations to continue to take cybersecurity seriously, without compromising the ability of patients who actually are harmed by a breach to get access to the justice system.” 

The ongoing foreign-based cyberattacks targeting the healthcare field with data theft and ransomware attacks have resulted in a dramatic increase in cyber insurance costs and a significant decrease in coverage, according to Hughes. “As these attacks originate from foreign-based criminal organizations, sheltered or supported by hostile nation states such as Russia, Iran, North Korea, and China, they represent a national security threat beyond the control of the health care field — such as a terrorism threat. In fact, Lloyd’s of London Ltd. recently declared they will exclude catastrophic nation-state backed cyberattacks from insurance coverage in 2023,” she added.

As a result, there is a need for the government to create a reinsurance program that would assist victims of high-impact cyberattacks, whether nation-state backed or not, as victims of an international terrorist attack would be assisted.

In conclusion, Hughes pointed out that hospitals and health systems have prioritized protecting patients and defending their networks from cyberattacks. “However, they need support from the federal government as the field continues to face targets from sophisticated cyber adversaries and nation-states. We look forward to working with Congress to provide appropriate support for hospitals and health systems and ensure close cooperation between the federal government and the healthcare field,” she added.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
Waterfall’s WF-600 unidirectional security gateway brings 'unbreachable protection' to OT/ICS networks
Waterfall, 2TS enter into cybersecurity alliance for African market
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
CISA declares winners of President’s Cup cybersecurity competition, with Artificially Intelligent team leading
CISA declares winners of President’s Cup cybersecurity competition, with Artificially Intelligent team leading
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved