WASHINGTON -- Small rural hospitals need more financial help from the federal government if they are to pay more attention to cybersecurity, Kate Pierce said Thursday at a on cybersecurity in healthcare.
"Our rural hospitals are facing unprecedented budget constraints, with up to 30% or more in the red," said Pierce, who is senior virtual information security officer with Fortified Health Security and former chief information officer at North Country Hospital, in Newport, Vermont. "With the [COVID-19] public health emergency scheduled to end in May, many hospitals anticipate a rise in free care, with as many as 15 million Medicaid patients projected to lose coverage."
In that environment, "cybersecurity programs continue to lag behind, with budgeted security spending directed to cover higher-priority expenses," she said. "These small hospitals struggle to employ and retain skilled cybersecurity professionals, often with little to no staff solely dedicated to security ... We cannot leave our small and rural hospitals behind. Funding opportunities must be made available to these hospitals."
The problem of cybersecurity breaches is a widespread one, stressed committee member Sen. Alex Padilla (D-Calif.), who said that according to Department of Health and Human Services (HHS) data he looked at, "as of yesterday morning, there were 63 different California-based breaches of unsecured protected health information under investigation, affecting over 90 million people. That's more than two times the state's population. So this national scale of the problem is alarming."
He asked Stirling Martin, chief privacy and security officer at Epic Systems, a health information technology firm in Verona, Wisconsin, why health information in particular was so valuable for those who tried to steal it. "Part of what makes healthcare data [such as birth dates and Social Security numbers] so sensitive is that it doesn't change; it isn't something that can be reset or changed like a password or credit card number," said Martin. "So once it falls into a bad actor's hands, that information can be used in perpetuity for future crimes, whether that's identity theft or blackmail."
In addition to more funding for cybersecurity, Pierce also called for more regulation of hospitals in relation to their cybersecurity standards. "We must move beyond guidance and recommendations and create minimum standards for cybersecurity," she said. "These standards must be reasonable, achievable, and continually evolving as cybersecurity requirements change."
Having standards to meet -- and the funding to meet them -- would force hospitals to put cybersecurity higher on their priority list, Pierce said in response to a question from Sen. Maggie Hassan (D-N.H.).
Pierce said she's worked with a lot of small hospitals across the nation, "and invariably, they are at a state where 'there is absolutely no security program' to 'it's very minimal.'"
"Everyone is now aware of where their risks are, but they're choosing to accept those risks mostly for financial reasons because they can't afford personnel to address those risks," she added. "We need to also provide them the ability to actually implement their security measures."
A related problem, witnesses said, is that there is almost too much guidance to choose from. "There is no shortage of recommendations and guidance and things that organizations could be or should be doing," said Martin. "The challenge we see is taking stock of all of those different resources and deciding what to actually do, given all those different inputs ... One of the key things that the federal government can do to help would be to establish a minimum threshold for security best practices. Having that minimum threshold would be incredibly helpful for organizations."
Greg Garcia, executive director for cybersecurity at the Healthcare and Public Health Sector Coordinating Council, agreed. He noted that the federal government and healthcare organizations will soon issue (HICP) 2023. "This is a set of best practices that are minimum security practices that all health systems should be implementing," Garcia said. "And those are developed by the sector for the sector, and jointly with HHS. There is a glut of 'security best practices' out there. We need to pick one, because there is a lot of confusion. We advocate that the HICP is probably the best effort at a joint government/industry publication offered freely, accessible to all health systems, and CISA [the federal Cybersecurity and Infrastructure Security Agency] needs to follow and push that along with us."
The government also needs to improve coordination among the various entities responsible for cybersecurity, said Garcia. "It's commendable that CISA, in its role as the national coordinator for critical infrastructure protection, has directed more of its attention to healthcare cybersecurity, but that level of attention needs to be triangulated among HHS as the sector lead, CISA as the technical support, and industry as the owners and operators," he said. "That necessary relationship is improving, and we're glad for that, but more improvement can be done."
As for what organizations themselves can do, "we need to do a culture change," Garcia said. "For as long as I've been in cybersecurity, everyone outside of the security team says, 'Cybersecurity -- that's the security team's job, not my job; I'm the CIO, I'm the CEO, I'm in administration.' No, it's actually everybody's job, right down to the clinician. Indeed, one of the biggest threats in cybersecurity generally is the frontline user -- anybody who is touching a keyboard, or a tablet, or a phone or any kind of medical technology."
Scott Dresen, senior vice president for information security at Corewell Health, a healthcare provider based in Michigan, urged senators not to be too punitive toward providers who can't meet cybersecurity requirements. "We understand and support the legislative intent to encourage adoption of best practices and the implementation of appropriate protections to safeguard our data," he said. "However, penalizing victims of cyberattack when defensive measures can't keep up with the sophistication of attackers is not the fair approach."