Public-private partnership key to countering healthcare cyber threats
If the healthcare industry is to effectively combat the growing threats to its sensitive health data, the besieged sector must strengthen public-private partnerships to more actively coordinate cybersecurity among stakeholders.
That’s the consensus of cyber experts who testified before a congressional subcommittee on Tuesday.
“Nowhere is the cybersecurity challenge more acute today than in the healthcare industry,” Terry Rice, vice president of IT risk management and chief information security officer at Merck, told a hearing of the House Energy and Commerce’s Subcommittee on Oversight and Investigations.
“In just the last few years, we’ve seen more than 100 million health records of American citizens breached in a couple of well-publicized incidents,” said Rice. “We have seen how software vulnerabilities in insulin pumps and pacemakers can be exploited to cause potentially lethal attacks. And we have witnessed entire hospitals in the United States and the U.K. shutting down for multiple days to combat ransomware infections in critical systems.”
Still, Rice said he believes that these incidents under-represent the extent of the cybersecurity problem plaguing the healthcare sector and is far worse than reported. According to Rice, the total number of hacking incidents is significantly underreported because of current disclosure laws.
“Electronic evidence gathered through normal security monitoring suggests there are a lot more breaches and incidents than is currently reported,” he told lawmakers. “Recent advances in healthcare technology, along with the proliferation of electronic health records and healthcare applications, have opened up a much wider array of cybersecurity risks and exposures.”
Rice warned that the public and private sectors must work together to counter the increasing cyber threats facing the healthcare industry. “Neither the private sector nor the government can solve this problem alone,” he added. “We must work collaboratively and transparently to reduce this risk.”
Nonetheless, the healthcare industry has “long struggled to coalesce around the public-private partnership model, especially with respect to cybersecurity,” said Rep. Tim Murphy (R-Penn.), chairman of the House Subcommittee on Oversight and Investigations. “However, as healthcare becomes increasingly digitized, the need to improve cybersecurity must be a priority.”
Likewise, Rep. Greg Walden (R-Ore.), chairman of the House Energy and Commerce Committee, argued that improving cybersecurity in healthcare is a collective responsibility.
“When we work together—government and private sector, large companies and small—we can do more to improve security than if we attempt to solve it on our own,” Walden said. “An attack on one organization may be prevented elsewhere if we have the infrastructure and mechanisms necessary to communicate effectively with others across the sector. Further, if an event has widespread or national implications, we need to coordinate an effective and efficient response—with unity of effort, not confusion over roles and responsibilities.”
Rep. Diana DeGette (D-Colo.), ranking member of the House Subcommittee on Oversight and Investigation, pointed to efforts by other industries such as Information Sharing and Analysis Centers (ISACs), which collect, analyze and disseminate cybersecurity threat information that is shared among stakeholders.
“Several industries have established ISACs to encourage private companies to share information about cyber vulnerabilities and attacks,” said DeGette. “Federal agencies also collaborate with these ISACs to facilitate the sharing of important information about cyber threats and incidents.”
Ranking Member of the House Energy and Commerce Committee Frank Pallone, Jr. (D-N.J.) made the case that if the relatively new National Health ISAC founded in 2010 can share threat and vulnerability information, it might be able to significantly bolster healthcare cybersecurity.
Denise Anderson, president of the NH-ISAC, told the subcommittee that the not-for-profit organization includes healthcare providers, medical device manufacturers, electronic health record vendors and payers representing about one-third of the U.S. health and public health gross domestic product.
Anderson touted two of what she called NH-ISAC’s “ground-breaking” initiatives. “The first is the CyberFit suite of services that allows members to leverage the NH-ISAC community to realize cost savings and efficiencies,” testified Anderson. “The second is the Medical Device Security Information Sharing Council, a forum for manufacturers and hospitals to interact and collaborate in order to advance medical device security and safety.”
She said that under a memorandum of understanding between the NH-ISAC, the Medical Device Innovation, Safety and Security Consortium and the Food and Drug Administration, several national initiatives are underway, including a program for coordinated medical device vulnerability disclosure and a program for medical device assessments.
“The highly collaborative partnership with FDA, NH-ISAC, and MDISS is a great example of how industry and government can come together to address cybersecurity issues,” Anderson added. At the same time, she argued that while there are a number of promising initiatives and efforts underway in the healthcare industry, “there is still a lot more that can be done.”
Specifically, she said one of the greatest challenges for the NH-ISAC and all ISACs is the “lack of awareness” amongst the critical infrastructure owners and operators that the ISACs exist and are a valuable resource.
“Government should regularly and consistently encourage owner, operators—especially at the board and CEO level—to join their respective ISACs,” Anderson told lawmakers. “A policy statement that provides explicit guidance to (Sector Specific Agencies) and their sector constituents to integrate into their cyber risk management and preparedness programs their participation in and collaboration with ISACs is key.”
Rice, who serves on the board of NH-ISAC, said the group includes more than 200 member organizations “which is a pretty decent start.” However, he lamented about the fact that another ISAC has 6,000 members, “so we need to reach out a lot more to get all of those entities sharing information.”
Anderson recommended that Congress facilitate information sharing by providing financial incentives through tax breaks or other means to critical infrastructure organizations that join their respective ISACs. In addition, she said the confidential information shared amongst the members of an ISAC should be considered protected information and not subject to disclosure.
“That’s the beauty of the ISACs—they are trusted communities. So, being able to protect that trust is absolutely key,” added Anderson, who asked for “some way that Congress could help protect that information that gets shared confidentially among the members.”
At the same time, she said information sharing should be encouraged, but not mandated. “When you share because you want to share, it’s different from sharing because you have to share.”
According to Murphy, a successful public-private partnership “depends on collaboration and trust” with the Department of Health and Human Services, which is “an understandable challenge given the many participants in the sector who are regulated by various entities” within HHS.
Toward that end, Rice recommended that HHS appoint a senior cybersecurity professional with healthcare sector experience as the liaison to the private sector. “Today, there are multiple offices within the department that have some responsibility for cybersecurity outreach but none of them have it as their primary task,” he said. “Furthermore, few organizations have the detailed cybersecurity knowledge and experience to engage with their private industry peers.”
Rice envisions this new role at HHS as being the focal point for all cybersecurity interactions with the private sector.
“It has become increasingly apparent that industry needs an experienced government representative at the (Sector Specific Agency) level who understands cybersecurity issues, threats, vulnerabilities and impacts as well as the blended threats between physical and cybersecurity,” concluded Anderson. “Having an established, clear go-to lead in this area is imperative.”