Analysis
Attacks and Vulnerabilities
Critical infrastructure
Medical
News
Regulation, Standards and Compliance
Risk & Compliance
Supply Chain Security
Threat Landscape
Vulnerabilities

Homeland Security Committee convenes hearing to scrutinize cybersecurity risks to healthcare sector

March 20, 2023
Homeland Security Committee convenes hearing to scrutinize cybersecurity risks to healthcare sector

The Homeland Security and Governmental Affairs Committee convened a hearing to examine cybersecurity threats facing the healthcare sector and how the federal government and healthcare providers are working to prevent breaches. The examination highlighted the severity of the threat and discussed how cyber-attacks against the healthcare sector can affect patient care and compromise sensitive medical information. 

U.S. Senator Gary Peters, a Democrat from Michigan and the head of the Senate Homeland Security and Governmental Affairs Committee, and other witnesses emphasized the importance of putting into effect Peters’ historic legislation, which mandates that critical infrastructure, such as the healthcare industry, report cyberattacks and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA). Also, lawmakers talked about potential steps the House may take to improve cybersecurity for the healthcare industry.

Scott Dresen, senior vice president for information security and chief information security officer at Corewell Health, Kate Pierce, senior virtual information security officer at Fortified Health Security, Greg Garcia, executive director for cyber security at the Healthcare and Public Health Sector Coordinating Council, and Stirling Martin, senior vice president and chief privacy and security officer at Epic Systems, were the witnesses at the Full Committee Hearing.

During the hearing, Peters highlighted how his law requiring critical infrastructure, including the healthcare sector, to report cyber-attacks and ransomware attacks to CISA will ensure the federal government has the tools and resources needed to help reduce the impact of these breaches and address network vulnerabilities. 

The witnesses also discussed unique cybersecurity challenges facing the healthcare sector and shed light on the impact that ransomware attacks can have on patient care. Peters asked the witnesses how small and rural hospitals – which often have limited financial resources – can invest in cybersecurity while also improving patient care. 

Finally, the hearing discussed how CISA and the Department of Health and Human Services can take additional actions to support the healthcare sector as they continue to face persistent and evolving cybersecurity threats.

“Cyber-attacks on hospitals, and other health care providers, can cause serious disruptions to their operations, and prevent them from effectively providing critical, lifesaving care to their patients. Breaches can also lead to the exposure of sensitive personal and medical information of patients and health care personnel,” Chairman Peters wrote in his Opening Statement, as prepared for delivery at the Full Committee Hearing. “These relentless cyber-attacks show that foreign adversaries and cybercriminals will stop at nothing to exploit cybersecurity vulnerabilities in our critical infrastructure and most essential systems. 

Peters added that what is most concerning about these attacks is that they don’t just compromise personal information, they can affect patient health and safety.

Referencing his law, Peters said that it will help ensure that the government is able to better track cybersecurity threats to the nation’s critical infrastructure, provide more transparency and situational awareness for cybersecurity defenses, and enable CISA to warn potential victims of ongoing attacks, so they know if they could be a target next.

“The increasing frequency of attacks from nation-state actors and organized crime has created a sense of urgency within the healthcare sector and we need help from the United States government to respond to these threats more effectively,” Dresen wrote in his Testimony. “Requirements for inter-agency sharing of cybersecurity threat intelligence is a productive step forward.” 

Dresen said that the nation needs more of this and enhanced collaboration to include critical infrastructure sector participation including the ability to automate threat intelligence data sharing with sector participants enabling rapid, near real-time automatic ingestion of threat intelligence into the technologies participating members use to protect their respective organizations.

The U.S. government has actionable intelligence that would be of immediate value to the healthcare sector, according to Dresen. “While there is some degree of automated intelligence sharing, we need to make more of that intelligence accessible.”

Dresen concluded by saying that “we can be more effective by enhancing existing partnerships with and between U.S. government agencies, expanding the sharing of actionable threat intelligence, incentivizing access to affordable technology to defend against advanced threats, and reforming legislation to encourage the adoption of best practices while not penalizing the victims of cyberattacks.”

In his testimony, Garcia covered four areas that will help inform both the diagnosis and prescription for healthcare cybersecurity. These included a brief overview of recent trends in cyber threats, vulnerabilities, and incidents facing the healthcare sector, and  observations about how the healthcare industry is changing in ways that could aggravate those threats and related incidents. 

He also reviewed how the industry has organized and partnered with the government over the past five years to address these concerns and how we are mobilizing to get ahead of them over the next five years. Lastly, Garcia offered examples of how the government agencies and Congress may support the health industry’s efforts to augment our security and resilience against ongoing cyber threats. 

Garcia also provided the Committee with a brief overview of policy actions over recent years aimed specifically at healthcare cybersecurity, and an overview of options for government programs, incentives, and direct support for healthcare cybersecurity that industry stakeholders have been to discuss as possible recommendations beyond simply mandating technical controls.

He concluded that “as a critical infrastructure industry, the health sector and its dedicated workforce are mobilizing against the ongoing and existential threat of cyber disruption. We also recognize we need to move faster to keep up with the evolving threats.” 

Garcia added that through continued and expanded engagement in our collective purpose, broader awareness promotion, and forward-leaning government programs and support, “we can move the needle and five years from now diagnose healthcare cybersecurity to be in a ‘stable condition.’”

Martin said in his Testimony to the Homeland Security Committee that “we’ve been shoulder to shoulder with our customers as healthcare has become increasingly targeted by cyberattacks. For a health system, a cyberattack disrupts their patient care mission and causes both reputational harm and financial burden. Organizations often take their systems offline as they mitigate the impact of a security incident.”

He also pointed to various ways that “the federal government could help healthcare organizations prevent and respond to cyberattacks. Starting first with prevention, there is a dire shortage of security talent in the United States.”

“The industry needs a single set of prescriptive security practices, whether defined by federal agencies such as NIST or CISA, industry efforts such as HITRUST, or a collaboration such as the Healthcare Sector Coordinating Council,” Martin added. “This will raise the overall security posture of healthcare organizations by encouraging them to meet those acceptable security practices. Lastly, on incident response, similar to how FEMA responds to a natural disaster, at-the-elbow support from the government could help healthcare organizations remediate an attack,” he added.

Fortified Health Security’s Pierce said that the top cyber threats for healthcare in 2022 were phishing, ransomware, data breaches, and DDoS Attacks. “While these threats were prevalent across the breadth of critical infrastructure, in 2022 healthcare continued to be the top focus, with 148 of the 649 cyberattacks on critical infrastructure targeted at healthcare organizations,” she added.

In her testimony, Pierce wrote that current challenges faced by small and rural organizations include budget constraints, cybersecurity staffing, technical debt, and cyber insurance coverage. She did point out that while these concerns mentioned are by no means exhaustive, “in my opinion, combine to create a significant increased risk for cyberattacks for this segment of the healthcare sector, with the risk anticipated to continue to grow as the threats increase.”

She provided the Homeland Security Committee with some recommendations for assistance to improve cybersecurity positions for small and rural hospitals. These include minimum security standards, funding/incentives, coordination of government efforts, and allowing the declaration of emergency for cyber attacks on healthcare. 

Earlier this month, the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group and the U.S. Department of Health and Human Services (HHS) published a new guide to help the public and private healthcare sectors align their cybersecurity programs with the National Institute for Standards and Technology (NIST) Cybersecurity Framework (CSF). The joint industry-government publication seeks to help health providers and companies implement the NIST CSF, enabling healthcare organizations to assess their current cybersecurity practices and risks, and identify gaps for remediation.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
Waterfall’s WF-600 unidirectional security gateway brings 'unbreachable protection' to OT/ICS networks
Waterfall, 2TS enter into cybersecurity alliance for African market
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
CISA declares winners of President’s Cup cybersecurity competition, with Artificially Intelligent team leading
CISA declares winners of President’s Cup cybersecurity competition, with Artificially Intelligent team leading
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
Radiflow helps customers achieve NIS2 compliance, spurring growth in Europe
Radiflow, Exclusive Networks partner to elevate OT cybersecurity
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration