Roundup: Strategies and next steps for improved cybersecurity in 2023
Healthcare government and industry leaders see national standards, federal agencies get involved, and technology plays a starring role in the fight against healthcare cyberattacks. Here's a brief roundup of some of those trends, based on what we've been reporting and reading in recent weeks.
'Meaningful Protection' could drive healthcare cybersecurity transformation
Writing in Forbes, Ed Gaudet, CEO and founder of Censinet and member of the Health Sector Coordinating Council, suggests and describes what he calls a "Meaningful Protection" standard for healthcare cybersecurity, akin to the federal meaningful use program that spurred electronic health record adoption in the early 2010s. The goal would be to reduce patient safety risks and improve operational resilience through a "velvet hammer" approach, he said.
"It's time for the U.S. to implement an incentive-based program to drive the meaningful adoption of processes and technologies that protect patients and our healthcare infrastructure," Gaudet wrote.
Despite some debate over the details of the meaningful use program, implemented as part of the HITECH Act to ensure effective use of federal incentive dollars, Gaudet says it's hard to refute the impact the $27 billion program had on moving healthcare from paper to EHRs.
"To truly transform cybersecurity in healthcare, the U.S. government must consider modeling a cybersecurity investment program after Meaningful Use – namely, the 'meaningful protection' of patient safety, data and care delivery operations realized through a combination of incentives and penalties over time," Gaudet wrote.
He offers a three-stage program designed to enable healthcare organizations to demonstrate use of certified practices, processes and technologies in ways that can measure the protection of patient safety, data and care delivery operations.
Gaudet also suggests such a program would "accelerate 'cyber herd immunity,'" which the Healthcare and Public Health Sector Coordinating Council cybersecurity working group is calling for in trumpeting cyber preparedness as a collective responsibility.
"The first step to a solution is: recognize you have a problem. We do recognize we have this problem. It's now starting to manifest as all hands on deck. I'm seeing it, and I'm energized by it," Greg Garcia, the group's executive director, told attendees at the recent HIMSS 2022 Healthcare Cybersecurity Forum.
James Noga, former CIO for Boston-based Mass General Brigham, agreed. "Meaningful Protection will move the needle in a positive direction in protecting healthcare organizations and patients from cybersecurity attacks if adopted," he wrote today on a LinkedIn post he agreed to share on Healthcare IT News. "Next step is to lobby our legislators."
FTC could report on cross-border ransomware complaints
As part of the end-of-the-year Congressional omnibus package, Energy and Commerce Chairman Frank Pallone, Jr., D-New Jersey, and Consumer Protection and Commerce Subcommittee Chair Jan Schakowsky, D-Illinois, announced consumer protections that include requiring the Federal Trade Commission to report on "cross-border complaints received that involve ransomware or other cyber-related attacks committed by certain foreign individuals, companies and governments."
According to the announcement, FTC must focus specifically on attacks committed by Russia, China, North Korea or Iran as well as individuals or companies that are tied to those nation-states.
In June, the House Energy and Commerce subcommittee forwarded the Reporting Attacks from Nations Selected for Oversight and Monitoring Web Attacks and Ransomware from Enemies Act to the full committee, but as NextGov reported, it floundered due to a lack of support from Senate Leadership.
The RANSOMWARE Act required the FTC to report to Congress on data from The Undertaking Spam, Spyware and Fraud Enforcement with Enforcers Beyond Borders Act allowing the federal commission to share evidence with foreign law enforcement agencies and assist in investigations upon their request.
Committee members had argued over state preemption and the right of individuals, as opposed to government entities, to sue violators, according to the report. But Pallone has advocated since 2017 for "long-term commitments from many players" to strengthen healthcare's cybersecurity posture.
Many healthcare organizations like the American Hospital Association are calling for greater federal support for victims of nation-state cyberterrorism, including real-time insights.
"We can only do so much on defense when foreign-based adversaries sheltered by hostile nation-states attack us. The other half of this equation is a robust offense by the U.S. government to go after these folks," John Riggi, national advisor for cybersecurity and risk for AHA, formerly with the Federal Bureau of Investigation, told Healthcare IT News in a recent conversation about government offense on healthcare cyberattacks.
Automation strategies could improve connected healthcare device security
While the industry waits for the government to act on the PATCH Act and a proposed software bill of materials, Greg Murphy, advisor and former CEO of Ordr, which recently partnered with Sodexo on managed cybersecurity services, offers hospitals six immediate steps they can take to improve medical device security.
Writing for SC Magazine, Murphy proposes automation to maintain complete visibility to maintain an up-to-date device inventory, identify risks and monitor device communications.
"Countering the threat and maintaining patient safety requires continuous monitoring and securing the plethora of connected devices in use in hospitals today," he wrote.
"It’s a huge job to avoid Code Dark events that press doctors, nurses and frontline hospital staff into service following attacks."
Risk analysis is "still a very manual and labor-intensive process," Kathy Hughes CISO of Northwell Health, shared during a panel on third-party cybersecurity at the recent HIMSS Healthcare Cybersecurity Forum.
Murphy suggests automating the discovery and classification of devices to enable real-time and accurate device data and inventory.
First, "identify devices with outdated operating systems or other risks such as misconfiguration and software that is unauthorized or vulnerable," he said.
Hospital IT teams should also track communication from countries with known cyberattack postures; identify and monitor devices with high-risk privilege protocols; segment devices running outdated operating systems that can’t be patched; enable only sanctioned communications required for device operations and baseline all connected device communications.
"Whenever ransomware takes over a device, there’s communication with an internet-based command-and-control site and potential for lateral movement across the organization," Murphy said.
"Any detected deviation from baseline communications is an indicator of compromise."
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS publication.
Gloss