Experts Testify on Healthcare Cybersecurity Issues at Senate Hearing

May 23, 2022 - The US Senate Committee on Health, Education, Labor, and Pensions (HELP) held a full committee hearing on May 18 to discuss the need for an increased focus on education and healthcare cybersecurity.

“Attacks on healthcare are increasing in volume, variety, and impact—with consequences that now include the loss of life,” Joshua Corman, founder of I Am the Cavalry, said in his testimony.

“While directionally correct steps have been taken, we’re getting worse faster than we’re getting better. Bold actions and assistance will be required to change this trajectory, address these market failures, lack of incentives, and historical under-investments.”

Cybercriminals have gained strength while defenders get weaker, Corman explained. In 2021 alone, more than 550 HIPAA-covered entities reported healthcare data breaches. Over 40 million individuals faced potential protected health information (PHI) exposure because of those breaches.

In Q1 2022, the Health Sector Cybersecurity Coordination Center (HC3) observed threat actors increasingly leveraging legitimate tools such as file transfer and remote access tools to infiltrate target organizations successfully. In addition, researchers observed threat actors consistently leveraging known vulnerabilities to take advantage of victims.

Healthcare Cybersecurity in ‘Critical Condition,’ Experts Say

READ MORE: Eye Care Leaders EMR Breach Impacts 1.5M+

Corman cited the cybersecurity workforce shortage, healthcare’s reliance on legacy systems, and the multitude of known vulnerabilities as critical factors contributing to the current state of healthcare cybersecurity.

COIVD-19 further emphasized the fragility of cybersecurity in the sector. As the pandemic began to overwhelm hospitals in 2020, threat actors started targeting healthcare supply chains and infiltrating hospital networks with significant success.

“The pandemic brought an untenable, perfect storm of a record high need for patient care in the face of record-high adversary activity, and severely diminished resources with which to defend the healthcare delivery environments,” Corman noted.

Denise Anderson, president and CEO of the Health Information Sharing and Analysis Center (H-ISAC), also brought a unique perspective to the hearing.

In her testimony, Anderson, who also serves on the executive committee of the Health Sector Coordinating Council Cybersecurity Working Group (HSCC CWG), discussed the importance of information sharing and the actions H-ISAC and the HSCC CWG have taken to mitigate risk across the sector.

READ MORE: What is the HIPAA Privacy Rule?

“Ten years ago, ‘cyber’ and ‘healthcare’ were not even placed in the same sentence,” Anderson stated.

“Today because of the rise in digital healthcare, the proliferation of advances in technology and the efficiencies of connecting devices and data, the cyber threat surface in healthcare has ballooned and the threat actors have followed.”

Anderson highlighted the top five cyber threats to the sector, determined via a H-ISAC member survey: ransomware, phishing, third-party breaches, data breaches, and insider threats.

Anderson also noted healthcare’s unique position when it comes to cybersecurity.

“The Health sector is highly inter-connected. Unlike in other sectors, healthcare data must be portable. Sensitive patient information must move between various medical providers, pharmacies, diagnostic facilities, and payers to facilitate proper patient care and history, as well as, payment for those services,” Anderson observed.

READ MORE: Cybersecurity Authorities Issue Advisory on Common Initial Access Tactics

“Coupled with a diverse base within the sector, a highly regulated environment, complex siloed departments, a lack of skilled cyber staff, a lack of cyber security situational awareness, a lack of knowledge and training for the medical staff as well as at the CEO and Board level, and lack of cyber security strategy including a risk management approach, the Health and Public Health sector faces enormous challenges.”

Proposed Solutions

Despite these challenges, there is still hope, Corman suggested. Specifically, he pointed to the US Food and Drug Administration’s (FDA) cybersecurity pre-market and post-market guidance, the increased focus on software bill of materials (SBOMs) across the industry, and recent congressional actions.

However, Corman also noted that while this guidance is welcome, its voluntary nature may be limiting its positive impacts.

“Seatbelts weren’t voluntary. I don’t believe fire escapes were voluntary—nor kitchen sanitation codes for commercial restaurants. Public Safety isn’t free,” Corman remarked.

“The lack of sufficient public safety and public good is also dis-economic. Further crisis of confidence in the public in modern healthcare will drive devastating harms to the public safety, economic, and national security.”

Anderson also stressed the need for congressional actions to ensure healthcare cybersecurity while pointing out the great strides the industry has made in creating useful guidance to help organizations manage risk.

Anderson urged Congress to place further emphasis on threat sharing and cyber education and provide incentives for adopting cybersecurity best practices. In addition, Anderson suggested that there should be a designated cybersecurity professional within HHS to act as a government liaison and advocate for healthcare cybersecurity.

“As the world is increasingly depending upon digital infrastructure, that infrastructure needs to be more dependable,” Corman stressed in his testimony.

“The cybersecurity of healthcare is not trending in the right direction. We can do something about that. We must.”