Warner policy paper proposes senior leader appointment at HHS to lead cybersecurity work, accountability
A new policy paper has been released by a U.S. senator highlighting the vulnerability of the healthcare sector to cyberattacks brought about largely by the reliance on legacy technology. It also focuses on a highly varied attack surface that grows more complex from an increasing number of connected devices, high-pressure environments, chronic funding constraints, and an outdated mode of thinking that views cybersecurity as a secondary or tertiary concern.
In the policy paper titled “Cybersecurity is Patient Safety: Policy Options in the Health Care Sector,” Sen. Mark Warner, a Democrat from Virginia, said that he believes that cybersecurity is patient safety and must no longer be a secondary concern; it must become incorporated into every organization’s business model. “Equally as important, cybersecurity policies and their implementation must start upstream to benefit all stakeholders downstream. Equipment must be designed and built with cybersecurity at its core, and regulations and government actions must account for cybersecurity at every step of the way.”
Senator Warner is releasing the policy options document with the intent of soliciting feedback from stakeholders on the potential options described within. Any individuals, researchers, businesses, organizations, or advocacy groups that are interested in submitting comments should send a letter or an email before Dec. 1. All submissions should be in the form of a PDF attachment, and be as specific and detailed in their recommendations as possible. It should also include the contact name, organization, phone number, and email address in the body of the email.
Warner adds that in this new paradigm, healthcare providers and organizations can benefit from upstream advances while implementing a certain level of cyber hygiene to protect everyone in the healthcare sector, especially the patients they exist to serve.
In the policy paper, Warner and his staff emphasized areas that the federal government needs to address to improve the national risk posture for cybersecurity in the healthcare sector. It also points out ways the federal government can help the private sector meet cyber threats and aid from the federal government that help the private sector recover after a cyberattack.
“Given the large number of actors and lack of clearly defined roles, particularly across operational divisions within the Department of Health and Human Services, there is a need for a senior leader at HHS who reports directly to the Secretary of Health and Human Services to lead the Department’s work on and be accountable for cybersecurity,” according to the policy paper. “The person in this role should be empowered—both operationally and politically—to ensure HHS speaks with one voice regarding cybersecurity in health care, including expectations of external stakeholders and the government’s role. This person should also work to effectively partner with other agencies to further these goals and advocate for HHS having the resources it needs to be successful.”
Additionally, staff heard from industry experts about a lack of coordination between HHS as the Sector Risk Management Agency (SRMA) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Stakeholders have shared that no matter who is in charge, so to speak, they would welcome increased timely, actionable, healthcare-specific cybersecurity guidance. The policy paper that some stakeholders shared said that when it comes to policies improving cybersecurity in healthcare, the agencies within HHS often have different postures and levels of activity, leading to varying levels of experience regarding cybersecurity and varied prioritization.
The policy paper also covered the February 2022 process begun by the National Institute of Standards and Technology (NIST) of updating the Cybersecurity Framework by issuing a request for information. The request sought response to provide NIST with information on potential metrics that could be used to measure improvements to cybersecurity resulting from implementing the Cybersecurity Framework, challenges. The initiative may prevent organizations from using the Cybersecurity Framework, and the steps NIST should consider to increase international uptake of the Cybersecurity Framework.
“Many relevant parties lauded NIST’s work on the Cybersecurity Framework, but some have suggested that more detailed guidance for the health care industry is required,” the policy paper said. “For example, the Health Care Industry Cybersecurity Task Force report suggests developing a ‘consensus-based health care specific Cybersecurity Framework.’ This could take the form of a ‘Framework Profile,’ such as those developed by NIST for manufacturing and election infrastructure. Others have suggested that NIST should develop a subsection within the current framework specifically focused on healthcare cybersecurity.”
The Warner policy paper suggests that regardless of whether the framework would be separate or nestled under the existing Cybersecurity Framework, it would be voluntary guidance geared toward addressing the cybersecurity challenges unique to the sector. Finally, some have suggested that the healthcare industry has insufficiently implemented existing healthcare-specific playbooks, such as the ones from HSCC, and that additional NIST guidance is unlikely to be voluntarily adopted by healthcare providers.
It also pointed to the many areas and actors that the Health Insurance Portability and Accountability Act (HIPAA) does not cover currently. “Non-covered entities that are not subject to HIPAA can include software applications and consumer devices that collect and share similar health information. Currently, non-covered entities are not obligated to adhere to HIPAA Privacy and Security Rules while having access to patient health information, and there are growing indications that consumers are not aware of this gap,” it adds.
The Warner policy paper suggested that a proposal under consideration is mandating a regular process to modernize HIPAA regulations to address a broader scope of cybersecurity threats instead of just focusing on covered entities’ responsibility to protect a patient’s personal health information. Congress could direct HHS to update HIPAA to expand what entities are covered and what actions are permitted.
In July, NIST updated its cybersecurity guidance to safeguard patients’ personal health information for healthcare organizations. With the SP 800-66r2 draft document, the NIST aims to assist healthcare organizations seeking further information on the security safeguards of the HIPAA Security Rule, regardless of the particular structures, methodologies, and approaches used to address its requirements.
The document also highlighted the longstanding shortage in the cybersecurity workforce across industries, with NIST estimating the global shortage of cybersecurity professionals to be 2.72 million in 2021. “When cybersecurity teams are stretched too thin – or worse when lacking a cyber team altogether – an organization is left especially vulnerable to cyber threats,” it adds.
The policy paper suggests that to address the shortage of cybersecurity professionals in the healthcare sector, Congress could consider establishing a workforce development program that focuses on healthcare cybersecurity. “This program could be tailored to prepare cybersecurity professionals to confront cyber threats that are specific to the healthcare environment and would leverage community colleges and professional certification programs to develop a skilled workforce. Additional training could also be offered by Regional Extension Centers (RECs),” it adds.
Many healthcare organizations face resource constraints, and some organizations have argued that they cannot afford to retain in-house information security personnel or dedicate an IT staff member primarily to cybersecurity. These organizations often lack the infrastructure to identify and track threats, the capacity to analyze and translate the threat data they receive into actionable information, and the capability to act on that information.
Several experts highlighted the need for healthcare providers to recognize cybersecurity as a key element of patient safety and a core expense that they must find room for in their budgets. Many organizations may not know that they have experienced an attack until long after it has occurred. Additionally, both large and small healthcare delivery organizations struggle with numerous unsupported legacy systems that cannot easily be replaced, with large numbers of vulnerabilities and few modern countermeasures.
Keeping these factors in mind, the policy paper suggests establishing minimum cyber hygiene practices for healthcare organizations, addressing insecure legacy systems, streamlining information sharing, and financial implications for increased cybersecurity requirements. It also highlighted the use of a ‘software bill of materials’ (SBOM) as a key building block in software security and software supply chain risk management.
The policy paper said that various actions have been taken by multiple parties to address SBOM. Last year, Executive Order 14028 issued by the U.S. administration included a requirement for SBOM for software vendors contracting with the federal government and tasked the National Telecommunications and Information Administration (NTIA), to publish standards for SBOM.
Specifically, in healthcare, NTIA has been leading the effort to evaluate SBOM in the industry via its Health Care SBOM Proof of Concept group. Currently, the group is looking into automating SBOM sharing and driving the adoption of SBOM. Additionally, in April this year, the FDA released a draft guidance document in which it would, if finalized, recommend that medical device manufacturers prepare an SBOM for both the FDA and users to have access to.
The policy paper also proposes solutions to prepare healthcare delivery organizations for the eventuality of a cyberattack and offers solutions for coordinated response efforts to minimize damage and recover within hours or days instead of weeks or months. It suggests developing specific emergency preparedness procedures, which may include mandating training of hospital staff to use analog equipment. Additionally, experts suggested encouraging cyberattack response and recovery joint training between healthcare organizations and relevant federal and state cyber response teams.
It added a proposal that is being considered to augment the stockpile with common equipment needed by hospitals facing cyberattacks such as analog equivalent medical devices, laptops, walkie-talkies, and other mobile devices. There is also a proposal to establish a cyber disaster relief program that provides relief to victims of a cyberattack that is similar to assistance provided to victims of natural disasters. It further called upon Congress to consider policies that encourage information sharing, including with patients, and encourage learning and improvement by being encouraged to share vulnerabilities and responses.
Related
