Can the Federal Government Aid Healthcare Cybersecurity?
The most terrifying words in the English language are: I’m from the government and I’m here to help.
– President Ronald Reagan
August 12, 1986
The country’s 40th president rarely minced words when giving his opinion of the ability of large government bureaucracies to provide low-cost and effective services. Even the Great Communicator might be surprised, however, at the effective response provided by the Health and Human Services Department’s Health Cybersecurity and Communications Integration Center (HCCIC) to the “Wannacry” ransomware attack that swept the globe in the first half of 2017. The HCCIC provided real-time support and guidance to healthcare organizations across the country to stem the attack before it could shut down critical medical service centers.
This situation shows that the Federal Government can play an effective role as a partner in the healthcare community’s fight against cybercrime that can compromise patient records or that might hold those records hostages pending payment of a ransom to an unidentified hacker. The healthcare organizations themselves, however, cannot place full reliance on the Federal Government to shut down all hackers. Those organizations will inevitably suffer one or more data breaches as cyber attackers become more sophisticated and as healthcare organizations become more susceptible to attacks with more internet-connected devices and electronic medical records.
The Government’s role in the healthcare cybersecurity arena will always be more advisory than prophylactic. The Cybersecurity Act of 2015, for example, established a task force that brought healthcare industry players together to define the best practices and countermeasures that hospitals and medical facilities can take to shore up their cyberdefenses and respond to cyberattacks when they happen. Among the recommendations that the task force highlighted were such commonsense suggestions as:
- Improving the healthcare cybersecurity workforce with better career opportunities for IT employees in hospitals and medical centers.
- Modernizing legacy IT systems and technology that may be more susceptible to hacking.
- establishing basic guidelines for internet-connected medical devices to ensure that they do not become easy inadvertent pathways for hacking attacks.
- Centralizing the Government’s regulatory role of the healthcare industry under a single umbrella (currently, multiple administrative agencies regulate different parts of the healthcare industry).
- Creating exemptions to fraud and abuse laws to allow healthcare entities to share more cybersecurity defense information.
The task force report called out the Federal Government over regulatory barriers that hinder good cybersecurity practices. Although agencies such as the HCCIC are good partners for cybersecurity in healthcare, certain rules and regulation imposed by the Government serve to increase a healthcare center’s exposure to losses and liabilities when a cyberattack is successful. The HIPAA Privacy Rule, for example, imposes strict national standards on all U.S. healthcare organizations to maintain the privacy of patient data. One healthcare organization paid a record $5.5 million fine in 2016 for Privacy Rule violations that stemmed from a loss of patient data records.
Until the Federal Government rebuilds its healthcare regulatory apparatus and even after that reconstruction is complete, individual healthcare organizations and medical centers will need to establish their own cybersecurity strategies to defend against cyberattacks and to provide a mechanism to recover financial losses and liabilities that result from a successful attack. On the defensive side, this includes standard strategies such as encrypting data, erecting better security around network logins, and keeping firmware and software in all medical devices up to date with all patches and new versions that close off vulnerabilities to hacking attacks.
On the recovery side, cybersecurity insurance will provide assurances that a healthcare provider will be able to recover quickly and efficiently when a successful attack does occur. In all cases, cybersecurity in healthcare will continue to be the responsibility of both healthcare providers and the Federal Government. Given the certainties of continued cyberattacks and the growing costs of those attacks when successful, healthcare cybersecurity insurance will continue to be the last line of defense that can keep a healthcare organization on its feet.
Also published on Medium.