Healthcare cybersecurity should be essential to conversations in the country’s pandemic retort, as evidenced by the spate of cyberattacks launched against “hospital networks when they were at their most helpless,” commented Rep. Bill Johnson, R-Ohio.
“Cybersecurity is so vitally crucial to not only preventing ransomware attacks on hospital networks and securing the safety of patients’ personal information but also to our national security,” he stated. “Nobody’s on the frontlines with that problem more than hospitals, who are combating cyber threats day-to-day.”
Johnson directed the cyber-focused queries during the May 11 House Energy & Commerce subcommittee on how the nation can better assemble for and respond to future public health security perils gleaned from discourses learned during the COVID-19 pandemic.
In the center of the hearing was the possible reauthorization of the Pandemic and All-Hazards Preparedness Act (PAHPA), set to lapse on September 30. Although the 2018 interpretation only contains one cyber provision, the pandemic demonstrated that cybersecurity must be a vital part of the administration’s plan to reauthorize the bill, he emphasized.
When PAHPA was reauthorized in 2018, “cyber was a known menace, but not truly at the top of anyone’s senses when it comes to preparedness,” stated Johnson. Of course, much has changed in that moment, with a severe increase in cyberattacks against the industry.
For Johnson and Erik Decker, Health Sector Coordinating Council’s Cybersecurity Working Group chair, the pandemic highlighted the sector’s weaknesses, reliance on technology, and an overwhelming necessity for better cybersecurity measures and enterprise coordination.
Peril players leveraged the pandemic to target hospitals, which pushed providers to move resources from “areas where they’re desperately required, away from patient care and more toward their design, their technology,” illustrated Johnson.
The transformation cut into emergency services, “shrank life-saving procedures and ultimately, increased death rates that would have otherwise been totally avoidable. Cybercriminals are not merely robbing our data or barring down networks. They are basically taking American lives with them when they exit or when they reach there.”
As evidenced by a report issued in JAMA Open Network this week, these cyberattacks also disrupt the functions of area hospitals: with an inflow in patient volumes, expanded wait times, and delays in patient care. Thus, growing care morbidity risks.
The huge shift in the threat landscape should prompt the government to evaluate cybersecurity within the context of all risks, preparedness, and response.
Partnerships are improving, but more help needed.
Decker testified to ensure cybersecurity provisions were included in any revised formats of PAHPA.
While the public-private partnership between the health sector and the government has significantly matured in recent years, entities with fewer resources continue to lag in cyber capabilities and will require incentives and more excellent resources to meet the challenges of digital innovation, explained Decker.
“Cyber is very capable of turning into a kinetic problem,” he said. “Because we are so reliant on technology these days and because healthcare has become digital, when that technology is disrupted for a long period of time, the hospital systems are having a very hard time managing via that for a lengthy period of time.”
The federal government must intensify the resources of the Department of Health & Human Services while operating to bolster the alliance with the Cybersecurity and Infrastructure Security Agency. CISA presents many valuable tools and services which can only strengthen stability — particularly as the government moves to demand swift reporting.
The problem in healthcare is not an unwillingness to perform the needed duties to move into a more proactive stance — like the incorporation of threat intelligence garnered from essential infrastructure industries — but rather a shortage of resources and incentivization of providers without the standards or staff to accomplish these necessary actions.
“Since HHS is our sector Risk Manager agency, we require to leverage HHS as the front door to all federal agents,” said Decker. “Without proper cyber bases in place, this velocity of digital conversion could become the equivalent of driving a racecar at highest velocity without check.”
HSCC’s working group is steadily evolving and sharing free recommendations and advice for the healthcare sector to bolster resilience. These aids are a “shining example of joint collaboration.”
Merged with the recently updated HHS 405 D program direction, providers have the tools and now require government help to close these cracks. Decker reaffirmed the need to, at the very least, persist in the idea of incentivization. Industry stakeholders have requested government incentives for years, and Sen. Mark Warner, D-Va., signaled the shift for such a program in the fall.
Stimuli or reimbursements would be crucial for some of the smaller and medium-sized institutions without “the resources to apply into cyber capacities,” stated Decker. “You could have a smaller or critical entry hospital that’s underwater. And the choice between a MRI machine or cyber capacity tends to go towards the clinical abilities.”
Decker described there’s also a need to continue the five-year strategic planning practice, which works to determine what a tough condition looks like for cybersecurity in the health area by 2029.
“Ensuring the health sector from cyberattacks might seem daunting, but I’m assured that we can meet this challenge,” said Decker.