- Law enforcement agencies should be given necessary resources to proactively share information, conduct investigations, and assist data breach victims to ensure strong cyber attack prevention measures, according to the American Hospital Association (AHA).
The AHA submitted a statement to members of the House Energy and Commerce Subcommittee on Oversight and Investigations in a hearing on public-private partnerships for healthcare cybersecurity.
“Hospitals and health care providers also work with a variety of federal agencies and law enforcement to respond to and prevent cyber attacks,” the letter explained. “The field also is actively regulated through the Health Insurance Portability and Accountability Act (HIPAA) Security Rule and related enforcement actions. Although attacks will occasionally succeed, the victims should be given support and not be presumed to have been at fault.”
Hospitals and health systems are actively protecting their assets, the AHA stated. These organizations are also taking specific steps to secure their systems.
The healthcare holds large amounts of extremely sensitive data, which is often highly sought after and can be compromised in various cyber attacks (i.e. ransomware attacks), added the AHA.
“Many hospitals conduct annual threat assessments and work to identify vulnerabilities through extensive penetration testing,” the statement read. “Increasingly, hospitals and health systems are conducting cybersecurity ‘tabletop’ exercises or other simulations to assess their readiness to respond in the event of an actual attack.”
Citing data from one of its own surveys, the AHA explained that more than 80 percent of hospitals have implemented intrusion detection systems. Eighty percent are also utilizing encryption on their wireless networks, mobile devices, and removable media.
The majority of hospitals – 90 percent – are also utilizing strong passwords, require passcodes on mobile devices, encrypt laptops and/or workstations, and at least annually perform a risk analysis to identify compliance gaps and security vulnerabilities.
While healthcare is also participating in information sharing to encourage stronger cybersecurity measures, more law enforcement aid is needed, the AHA maintained.
The Nation’s Healthcare and Public Health Information Sharing and Analysis Center (NH-ISAC) and Health Information Trust Alliance (HITRUST) provide information sharing opportunities and the Cybersecurity Act of 2015 also encourages information sharing among private sector and federal government entities.
“With that said, the increased information sharing is not yet a reality, and expedited and tailored cyber threat information sharing from the federal government would benefit all health care and public health organizations,” the letter urged. “Providers most need actionable information that identifies specific steps they can take to secure against new threats.”
The AHA continued that hospitals and health systems will need continued vigilance and support because the cyber threat landscape will keep evolving. Entities with fewer resources will need even more assistance to combat increasingly complex threats.
Several federal agencies including the Department of Health and Human Services (HHS) Assistant Secretary for Preparedness and Response, the Federal Bureau of Investigation, and the Food and Drug Administration all work with the AHA. However, these agencies must be given the necessary resources to respond to attacks and continuously help healthcare organizations prevent attacks from occurring and succeeding.
Healthcare entities should be helped, and not blamed for cyber attacks, the agency pointed out.
“The victims of attacks should be given support and resources, and attackers should be investigated and prosecuted,” the letter stated. “Merely because an organization was the victim of a cyber attack does not mean that the organization itself was in any way fault or unprepared.”
Furthermore, a breach does not necessarily equate to a HIPAA violation, the AHA noted. A successful attack requires a full investigation and “the lessons learned should be widely disseminated to prevent the success of similar attacks in the future.”
“Hospitals and health care providers are making great strides in securing their systems and sharing information to prevent and mitigate attacks,” the AHA concluded. “We urge Congress to provide law enforcement and other appropriate agencies with the resources to investigate cyber attacks, and proactively prevent them.”