Healthcare delivery is beset on all sides by disruptive and turbulent change—and as healthcare cybersecurity becomes an even more urgent issue, we’ve reached a tipping point. While there were known and growing risks in our increasingly hyper-connected healthcare before 2020, the one-two punch of the ransomware revolution and the COVID-19 pandemic have many healthcare delivery organizations (HDOs) on the ropes and taking a beating.
We’ve recently seen how:
Adversaries have changed… in volume, variety, and brazenness to prey upon our weakness
Patient loads have changed… fueled by pandemic strains and ever-compounding delays and degraded medical care
Consequences have changed… from health record counts, fines, and ransoms to worsened patient outcomes, and even loss of life.
These new challenges are laying bare the weaknesses in our current policies and regulations around healthcare cybersecurity. For years, we’ve equated healthcare security with data privacy, with the Health Insurance Portability and Accountability Act (HIPAA) serving as the foundation for the protection of personal patient information and enacting privacy and security rules aimed at keeping such data confidential. For its time—especially as data breaches ran wild in the early 2000s—that strategy was believed sufficient as the totem for healthcare-related cybersecurity.
I love my privacy—I’d like to be alive to enjoy it! Our over-dependence on undependable technology is now a patient-safety, human-life issue. On Oct. 21, 2021, two separate revelations finally moved us over this life-and-death threshold:
A named victim from Alabama on the front page of the Wall Street Journal; a lawsuit continues to work itself through the courts
The first quantitative statistical analysis of excess death associated with protracted ransomware outages done by my CISA COVID Task Force with CDC data
I subsequently testified to Congress on these grave consequences, helping to inform and inspire corrective action. In the House, the Senate, and the White House, political will is changing as policymakers recognize the stakes and respond in turn. As evidenced by the recent inclusion of the PATCH Act in the FY23 appropriations bill, policy leaders are looking to move healthcare cybersecurity to the forefront of policy making.
Key among these developments is a recent discussion paper from Sen. Mark R. Warner (D-VA) which summarizes the key issue in one sentence: “Cybersecurity is Patient Safety”.
Senator Warner’s paper offers an overview of the current cybersecurity threats facing the healthcare sector and offers a series of policy options to improve cybersecurity across the industry. Developed with stakeholder input, including my own, and intended to solicit feedback from stakeholders, the paper provides recommendations across three main areas: establishing healthcare cybersecurity leadership within the government, improving providers’ capabilities through incentives and requirements, and recovery from attacks.
Among these topics, the following from the paper could be game changers:
A Requirement for Minimum Cyber Hygiene for Hospitals - with financial carrots & sticks (ideally informed by CISA’s cross-sector, baseline Cyber Performance Goals),
Addressing Insecure Legacy Systems - including our 405c “Cash for Clunkers” concept to reduce/remove Bad Practices and the most dangerous, indefensible devices,
Software Bill of Materials (SBOMs) for medical technologies - to help mitigate future events such as Log4j and enabling greater trust, transparency, and vulnerability management within supply chains and operations; and
Incentivizing/scaling limited cybersecurity talent across the 7,000 HDOs in the U.S., about 85% of which are “target rich, but resource poor” in small, medium, and rural hospitals, lacking a single dedicated, qualified cybersecurity professional on staff.
Senator Warner’s paper is just one step in starting to understand how cybersecurity impacts life or death scenarios in healthcare, and giving us a policy framework that will enable us to save lives. I urge you to read it.
We recognize that change brings discomfort. And... we must also recognize today’s practices were built for wildly different times with wildly different threat models, adversary appetites, and tolerable consequences of failure. We don’t live in that world anymore.
Few healthcare players want additional regulations and requirements. It’s not about what we want, it’s about what we need, and what patients need for more defensible, maintainable, timely access to care. Let’s seize the moment, build upon this surge of political will, and tell them what we want, need, and fear from these policy changes.
We’ve got a small window here to reposition our fate toward more trustworthy, transparent, and resilient healthcare delivery for you, your loved ones, and those in your care.
History has its eyes on us.
405(d) Task Group Updates HICP Document for Healthcare, Medical Device Cybersecurity
Medical Device Cybersecurity: HHS 405(d) Best Practices Update
Medical Device Cybersecurity Provisions Included in Omnibus Appropriations Bill
Interested in learning about Claroty's Cybersecurity Solutions?