HIPAA/HITECH , Standards, Regulations & Compliance
Biden National Cyber Strategy Poses Challenges to Healthcare
Administration Must Address Lack of Resources, Reactionary Posture, Experts SayThe Biden administration's newly released national cybersecurity strategy aims to bolster protections across all critical infrastructure sectors, including setting minimum security requirements, enhancing collaboration and making other important moves.
See Also: Preparing for New Cybersecurity Reporting Requirements
What does the new strategy mean for healthcare sector entities?
Some industry observers say the administration's stated goals for better securing cyberspace provide important opportunities and challenges for the healthcare industry, which is one of the nation's 17 critical infrastructure sectors.
The opportunities include building a more robust cybersecurity posture to help the sector better defend against and respond to ever-evolving threats, while the challenges include overcoming the lack of resources and other hurdles that healthcare entities face every day.
"We need to do better in terms of fostering better cyberthreat information sharing and mitigation information within our sector and with other sectors and industries," says Lee Kim, senior principal of cybersecurity and privacy at the Healthcare Information and Management Systems Society.
"We do need more public-private partnerships, including with international partners, to solve problems relating to cyber diplomacy but also day-to-day things such as operational security matters and current threats," she says. "Organizations, at times, have a reactive security posture, and leadership does not necessarily look at the lessons learned," Kim says.
Cybersecurity is not just a technical problem but also involves economics and governance issues, she says. "Simply providing more money to an organization to afford more advanced security solutions will not solve the problem. Instead, a holistic approach addressing the administrative, physical and technical aspects of securing data - and assets - is very much needed."
Minimum Standards
The national cybersecurity strategy's emphasis on critical infrastructure protection has been in progress since before the strategy's release, even though the actual document "says little specifically about healthcare," says Greg Garcia, executive director of the Health Sector Coordinating Council's cybersecurity working group.
In fact, healthcare is not explicitly called out in the White House strategy, but its designation as a critical infrastructure sector makes the national strategy pertinent for organizations in the sector - including the emphasis on setting minimum cybersecurity requirements.
"We have been discussing with the Department of Health and Human Services over the past couple of months about what a higher level of accountability in healthcare sector cybersecurity could look like," Garcia says. The "most obvious" reference is contained in the Health Industry Cybersecurity Practices, he says.
The voluntary Health Industry Cybersecurity Practices, or HICP, were developed in partnership between HSCC - a public-private healthcare sector coalition - and HHS' so-called "405(d) task group" - an advisory council created under the Cybersecurity Act of 2015 Section 405(d).
HICP was released in 2019, but an update is set to be published in the coming weeks, Garcia says.
"If the administration believes some of the voluntary practices in the HICP should be mandatory, we are willing to discuss that within the context of serious resource constraints faced by the nation's small and midsized providers," he says.
"Mandates cannot be promulgated without supporting incentives, subsidies or grants. Otherwise, patient safety could suffer under the burden of increased regulatory compliance requirements."
Other industry leaders also are betting that the HICP might indeed become the basis for minimum cybersecurity requirements in healthcare.
"The 'defend critical infrastructure' pillar makes me wonder if 405(d) will become the minimum standard for healthcare and will be used as the vehicle to deliver this cybersecurity strategy for the sector," says Saad Chaudhry, chief digital and information officer at Luminis Health.
Sticks and Carrots
Like Garcia and others, Chaudhry says many under-resourced healthcare sector entities will need help in meeting any potentially higher expectations in cybersecurity for the sector.
"There will likely be smaller organizations - such as federally qualified health centers - that will need assistance to even adhere to 405(d)" recommendations, says Chaudhry, who is a member of the Association for Executives in Healthcare Information Security and the CISO branch of the College of Healthcare Information Management Executives, a healthcare CIO professional group.
"These healthcare organizations by themselves would likely not be large cyber targets for bad actors, but if they are expected to bring their tech landscape to a certain level of security, they will need funds and expertise," he says.
"I therefore also wonder if this would require a cybersecurity version of the 'meaningful use' policy from a decade ago," he says, referring to the HITECH Act of 2009's financial incentive plan for the adoption of electronic health records by hospitals and doctor practices.
Chaudhry says the policy "starts with a 'carrot' of subsidies to shore up healthcare cyber defenses but then progresses to the 'stick' of penalties if adherence is not achieved within a certain time frame."
In fact, even prior to the unveiling of the White House's cyber strategy this week, others - including some members of Congress - have floated proposals to set more robust minimum security standards for the healthcare sector than what is required by HIPAA-covered entities and their business associates.
For example, a lengthy policy paper issued last November by Sen. Mark Warner, D-Virginia, suggests that entities participating in Medicare and Medicaid programs be mandated to apply "minimum security practices" as standard operating procedure (see: Cybersecurity Is Patient Safety, US Senator Says).
While industry trade groups - as well as many Republican legislators - generally oppose any prospect of new federal mandates, some healthcare entities appear hungry for more solid direction, Warner told Information Security Media Group in a recent interview.
Warner is hoping to introduce bipartisan legislation this year that is also aimed at improving healthcare sector cybersecurity. Such a bill could potentially contain "carrots" to help incentivize healthcare entities to step up their cybersecurity posture, he told ISMG.
In a statement Thursday about Biden's cyber strategy, Warner says he is pleased the White House is "advocating for the kind of best practices that I've long called for, such as building and reinforcing strong partnerships with the private sector, investing in the long-term protection of our nation's critical infrastructure, being proactive about establishing strong cybersecurity foundations and meeting critical standards."
Diverse Industry
Consistent cybersecurity across an industry as broad and diverse as the healthcare sector is and will always be challenging, says Robert Booker, chief strategy officer of HITRUST, best known for its Common Security Framework used by healthcare sector entities.
"The pace of innovation and the unfortunate number of cyber events targeting healthcare makes it imperative that collaboration and joint leadership occur across the sector and between the public and private sector."
Robert Booker, chief strategy officer, HITRUST
"The pace of innovation and the unfortunate number of cyber events targeting healthcare makes it imperative that collaboration and joint leadership occur across the sector and between the public and private sector."
Booker suggests that less mature healthcare entities "should be encouraged to inherit" security capabilities from providers such as cloud service vendors and hosted healthcare applications with more mature information security programs.
"This will ultimately reduce the complexity of security delivery, increase the efficiency of security operations and reduce the overall cost of healthcare delivery nationwide."
Other Pillars
Overall, the White House's five-pillar national cybersecurity strategy appears to be a comprehensive approach that covers many of the challenges that healthcare sector entities and other industries face, Chaudhry says.
Besides the strategy's first pillar - the emphasis on defending critical infrastructure - the other pillars spotlight targeting and disrupting threat actors, using market forces to improve security and resilience, investing in resilience and enhancing international partnerships.
"This is definitely a more holistic approach to cybersecurity that is needed nationally. We cannot just concentrate on defense. We also have to make it less lucrative and more punitive for the bad actors," he says. "The pillars of 'target and disrupt threat actors' and 'enhance international partnerships' certainly do the latter two things," Chaudhry says.
Kim of HIMSS offers a similar assessment. "It is critical for us to work with international partners. Traditional thinking amongst cybersecurity professionals is that it is best to not talk about what is happening and/or challenges, and there may be hesitancy to share otherwise sensitive information outside of the United States," she says.
"But the reality is that cyberspace is international and cyberthreat actors may attack targets from east to west or west to east. Therefore, it is essential for us to learn from our trusted peers and colleagues about what is happening and to prepare for what might happen to us."
The national cybersecurity strategy also highlights the protection of internet of things devices, including connected medical devices, says cybersecurity attorney Stephen Lilley, a partner at law firm Mayer Brown and former chief counsel to the Senate Judiciary Committee's crime and terrorism subcommittee.
The healthcare sector should expect the strategy to spur continued scrutiny of cybersecurity practices under the existing regulatory authorities of the Food and Drug Administration and HHS, broad application of the 2022 cyber incident reporting legislation to the healthcare sector, as well as potential legislation to expand private-sector responsibilities, he says.
"The forthcoming implementation of the strategy will likely push providers, medical device manufacturers, pharmaceutical companies and other healthcare entities to meet both existing standards and emerging best practices, such as for secure software development," he says.
"In short, the strategy anticipates greater cyber risks for the healthcare sector going forward and higher expectations for sector businesses."