The closure of Spring Valley, Ill.-based St. Margaret Health due in part to a ransomware attack reignited debate over how the government can best protect the critical American healthcare infrastructure from cyber threats.
"To the question of what the government can do, it needs to continue executing on this relationship and listening to the sector's needs. There are already services in place. Within HHS, there's a program called the 405(d) program, and that has produced a voluntary set of best practices," Erik Decker, chief information security officer of Salt Lake City-based Intermountain Health and the chair of the Health Sector Coordinating Council, told Becker's.
"We call it HICP (Health Industry Cybersecurity Practices). It contemplates small, medium and large sized hospitals and gives them 10 practices and mitigates the five most common threats that hospitals are getting beat with."
Despite the availability of resources and training material through HICP, some lawmakers are looking to take more legislative action to protect rural hospitals from cyber threats.
The bipartisan Rural Hospital Cybersecurity Enhancement Act made it out of committee in June and will head to the Senate floor. The legislation calls for a more comprehensive rural hospital cybersecurity workforce development strategy and promotion of education resources for rural hospitals.
Some CISOs pointed out that cybersecurity educational materials for rural hospitals are already available and the real issue is a lack of resources
"To the extent that you have funding, a budget and a working security program, to actually hire someone after you find the recruit, that's a separate issue from a small rural hospital who may not have the budget for a full time equivalent," said Randy Yates, CISO of Houston-based Memorial Hermann Health System. "Without a funded position, recruiting assistance may be less valuable."
"I understand part of the education proposed plan was likely geared toward the existing rural hospital IT staff to supplement their knowledge and capabilities with additional security related educational opportunities, which I believe is a good strategy."
Mr. Decker said the Health Sector Cyber Security Coordinating Council has contemplated grants, apprenticeships and student loan forgiveness programs for cybersecurity professionals who serve in critical infrastructure organizations.
Beyond boosting workforce and education initiatives, CISOs also pointed to information sharing as a way the government could help.
"The biggest ways the government can better protect hospitals from cyberattacks is with intelligence sharing and funding. As outlined in the Health Industry Cybersecurity Information Sharing Best Practices (HIC-ISBP), better information and threat intelligence sharing supported by our government would provide great value to hospitals," said Steven Ramirez, CISO of Reno, Nev.-based Renown Health.
"Currently, we have some industry-supported consortiums, but there are also private, paid threat-sharing services that can be expensive and have mixed results."
Hospitals are just a piece of the healthcare cybersecurity puzzle.
"Vendors are actually part of our federal working group," Mr. Decker said "We call them advisers. We do keep a cap on that because it's supposed to be about critical infrastructure operators. That is the main part of the partnership.
"But the vendor community offers so much value there, both from the big ones like Google and Amazon and Microsoft, who actually have a lot of the infrastructure that we use to manage service providers, to the consultants and advisors who are out there and seen a lot of what the industry looks like."
The government had previously taken an interest in maintaining the cybersecurity posture of America's hospitals. However, geopolitical tensions and sophisticated ransomware gangs could make hospital cybersecurity an even larger priority. The U.S. has accused China and North Korea of sponsoring hackers targeting U.S. healthcare.
"The government interest has been there for a number of years. It got extra activated with the Russia-Ukraine conflict and it's been extra activated because of the ransom actors that have hit healthcare and other critical infrastructure," Mr. Decker said.
While specific legislative details still need to be hammered out, many CISOs seem to support government efforts to protect rural hospitals from malicious cyber actors.
"We welcome measures that can help our rural hospitals with their cybersecurity efforts. These hospitals are vital to many communities and patients," said Dee Young, CISO at Chapel Hill, N.C.-based UNC Health Care.
"While these initiatives proposed are an essential step, it will be critical to continue to make strides to develop programs and additional resources to help all of healthcare, including rural hospitals, mitigate these cyber risks and allow our clinical teams to do the most important job of taking care of patients."