AHA Shares Recommendations Regarding Cybersecurity Policy Proposals

December 07, 2022 - Hospitals and healthcare systems have implemented the necessary steps to protect patients and defend their networks from cyberattacks, but they need future support through cybersecurity policies to address cybersecurity threats, the American Hospital Association (AHA) stated following Senator Mark R. Warner’s policy options paper.

Specifically, the “Cybersecurity is Patient Safety” paper examined the cyber security challenges federal agencies face regarding jurisdiction over healthcare cybersecurity, approaches the government could take to help the private sector tackle threats through mandates and incentives, and policies that could help cyberattack responses.

Senator Warner also requested feedback from individuals, advocacy groups, researchers, and businesses on the cybersecurity policy proposals released in November.

In a letter to Senator Warner, AHA expressed its agreement with certain aspects of the letter but offered recommendations to help policies provide appropriate support for hospitals and health systems.

Strengthening Healthcare Cybersecurity Leadership and Cyber Posture Within the Federal Government

The letter first recommended improving federal cybersecurity leadership and strengthening cyber posture in the healthcare sector, starting with coordination between federal departments.

READ MORE: Balancing Digital Transformation With Healthcare Cybersecurity

“Increased coordination between HHS and the Cybersecurity and Infrastructure Security Agency (CISA) would be beneficial for the healthcare field,” Hughes continued. “This could be addressed with improved delineation of specific authorities, roles, and responsibilities needed between CISA and HHS and within all the functions of HHS. AHA would also support creating a senior cyber leader role within HHS.”

Additionally, AHA affirms support for the Healthcare Cybersecurity Act, which will authorize cybersecurity training and encourage analysis of healthcare cybersecurity risk, focusing on rural hospitals, vulnerabilities of medical devices, and cybersecurity workforce shortage.

The letter also urges the federal government to offer greater support to healthcare facilities experiencing or defending themselves against cyberattacks as often the private sector carries the burden of these types of attacks.

“AHA encourages the federal government to consider additional ways to provide guidance and support to those experiencing cyberattacks during the recovery portion of an attack, such as the support provided to victims of terrorist attacks,” AHA noted. “Guidance by the federal government on mitigation procedures and protocols for safe reconnection with victims of attacks will expedite recovery and bring hospitals back online more efficientefficiently.”

AHA also recommended addressing intellectual property (IP) threats through the existing Department of Justice Task Force on Intellectual Property to mitigate risk.

READ MORE: VA Senator Seeks Feedback on Healthcare Cybersecurity Policy Options

The healthcare system has been dealing with foreign threats related to IP and its influence on medical research. Even though federal agencies have released several guidelines on protecting IP, smaller hospitals lack resources to address IP threats similarly.

“Small or rural research institutions and organizations should be considered in the development of the guidance, as they may not have access to the same resources as larger hospitals. These organizations can often be targeted through their network connections and data exchanges with organizations conducting sensitive medical research,” AHA stated.

Additionally, the lack of resources in healthcare organization due to pandemic-induced financial pressures have restricted many healthcare organizations’ ability to meet advanced cybersecurity posture level and standards by the NIST Cybersecurity Framework (CSF)

“AHA strongly recommends financial incentives and qualifying grants be made available to healthcare providers to implement the cybersecurity technology and best practices outlined in the NIST guidelines and the HICP,” the report stated.

Using Incentives and Requirements to Improve Healthcare Provider Cybersecurity Offerings

In addition to improving federal leadership, AHA supports establishing a baseline for healthcare cyber hygiene practice to ensure patient health information is well protected. The letter highlights current practices to safeguard patient information, such as the Medicare Conditions of Participation (COPs) and Conditions of Coverage (COCs); however, these standards cannot monitor minimum cybersecurity practices.

READ MORE: New Connected Device Security Maturity Model Helps Orgs Strengthen Cybersecurity

“COPs and COCs are enforced by surveyors from either state agencies working under contract to CMS or private accrediting bodies,” AHA stated. “Surveyors can include doctors, nurses, pharmacists, and building engineers who may not necessarily be experts in cybersecurity. Given the rapid advancement and changes in the cyberspace, hospitals and health systems often adapt very quickly to keep their networks safe.”

The hospital group also advocates for a software bill of materials to identify the information technology solutions in a device to better manage frequently targeted medical devices.

As network-connected technologies and medical devices increase in prevalence throughout the healthcare industry, they have become potential network access points for cybercriminals, the letter stated. Threat actors leverage medical device vulnerabilities to exploit healthcare organizations. However, there needs to be more incentive for manufacturers to address security gaps in medical devices.

“To remediate this problem, manufacturers must support end-users in providing a secure environment for safe patient care,” AHA stated. “This support should include wrapping security precautions around these devices, adding security tools and auditing capabilities where possible, conducting regular updates and patching all software, and communicating security vulnerabilities quickly through consistent channels.” 

Financial incentives can also be given to smaller healthcare entities with fewer resources, allowing them to examine cyber threat intelligence, detect indicators of compromise, and employ recommended technical measures.

Lastly, AHA recommends financial implications for increased cybersecurity requirements.

“The increased use of technology comes with significant and necessary cybersecurity expenditure to protect the security of patient data from hacking and to ensure care delivery and patient safety is not impacted by ransomware attacks,” AHA pointed out. “As a majority of hospitals and health systems depend on Medicare and Medicaid’s fixed payments, AHA supports ensuring rates accurately reflect the cost of care. Now is not the time for reductions in payments to providers. Congress must prevent any cuts to Medicare and Medicare from taking effect so hospitals and health systems can continue to care for patients, families, and communities.”

Improving Cyberattack Recovery

Even though the hospital group supports efforts to improve cybersecurity practices across the healthcare industry, the letter recommends an incentivized approach to improve cybersecurity standards rather than penalizing hospitals for cyberattacks.

“AHA encourages the federal government to consider waivers and flexibilities that could be made available to providers recovering from a cyberattack, similar to those granted during other disaster events. Recovery from cyberattacks is not a quick process,” AHA stated.

Given the rapid escalation of cyberattacks, AHA said, “strategic national stockpile (SNS) should be augmented with common equipment needed by hospitals facing these events.”

To access SNS resources, a determination provided in coordination with state public health authorities is required.

“Although all healthcare organizations should employ robust systems and practices to protect against cyberattacks, it would be dangerous and counterproductive to patient safety and to the financial viability of hospitals to prevent access to SNS resources in such a punitive manner, especially since hospitals are considered to be critical infrastructure for the nation.”

The ongoing foreign-based cyberattacks targeting the healthcare field with data theft and ransomware attacks have resulted in a dramatic increase in cyber insurance costs and a significant decrease in coverage.

As a result, there is a need for the government to create a reinsurance program that would assist victims of high-impact cyberattacks, whether nation-state backed or not, as victims of an international terrorist attack would be helped.