The health care sector faces increasing pressure from cyberattacks targeting hospitals and other medical facilities while it deals with old equipment and systems that weren’t designed with cybersecurity in mind, warns a policy paper from the office of Sen. Mark Warner, D-Va.
Citing input from health care and cybersecurity experts, the paper outlines the cyberthreats facing health care providers and offers several policy solutions to improve the situation for the industry. Such considerations are timely as cyberattacks on the industry have spiked over the past decade, reaching record levels in 2021.
The paper, titled “Cybersecurity is Patient Safety,” contends that improving the sector’s cybersecurity requires the public and private sectors to collaborate and calls for federal leadership, reinforcing health care providers’ cyber capabilities and creating a robust response system to efficiently recover from attacks.
“Unfortunately, the health care sector is uniquely vulnerable to cyberattacks, and the transition to better cybersecurity has been painfully slow and inadequate,” said Warner, the chairman of the Senate Intelligence Committee. “The federal government and the health sector must find a balanced approach to meet the dire threats, as partners with shared responsibilities.”
The document lists key challenges facing Congress and federal agencies with jurisdiction over health care providers.
It recommends that Congress update the Health Insurance Portability and Accountability Act of 1996 to address cyberthreats and clarify language in the federal Anti-Kickback Statute and the Physician Self-Referral Law in order to allow health care providers and stakeholders to work together on cybersecurity improvements.
It also recommends that the Department of Health and Human Services and its agencies better coordinate with the private sector on cyber issues, protecting health care research and development from cyberattacks and obtaining more health care-specific guidance from the National Institute of Standards and Technology.
And it recommends that federal agencies promote workplace tech development and training programs focusing on cybersecurity and develop a proposal to provide academic loan forgiveness to cybersecurity professionals if they work for several years in rural communities, which are chronically understaffed in information technology.
The federal government can help the private sector cope with cyberthreats through a combination of mandates and voluntary incentives to adopt best practices, the paper found. It noted that the government can begin by establishing minimum cyber hygiene practices for health care institutions.
To help the health care industry respond to and recover from cyberattacks, the paper suggests creating a national stockpile of commonly used medical equipment to quickly replace products that are compromised and/or damaged in a cyberattack; developing a disaster relief program for cyberattacks similar to those provided for natural disasters; adding a safe harbor/immunity clause for health care organizations implementing adequate security measures; and promoting the adoption of cyber insurance.