The Senate Homeland Security Committee cleared legislation on March 30, 2022, aimed at enhancing the cyber readiness of the U.S. healthcare sector. The proposed “Healthcare Cybersecurity Act,” or S. 3904, calls for collaboration between the U.S.The agency responsible for cybersecurity and infrastructure security (CISA) strengthens cybersecurity safeguards in the healthcare and public health sectors and the Department of Health and Human Services.
This legislative move is timely and appropriate, given that cybersecurity advocates have been urging the recognition of the nation’s healthcare entities as critical infrastructure providers (CIPs) for many years. The recent surge of ransomware attacks on hospitals during the COVID-19 pandemic has brought this issue to the forefront as a matter of life and death, resonating with cybersecurity professionals, policymakers, and ordinary people alike.
The Growing Threat Of Cyber Attacks In Healthcare
The healthcare industry is a lucrative target for cybercriminals, as it holds valuable personal and medical information. This information can be used for identity theft, insurance fraud, or sold on the dark web for profit. In addition, healthcare systems are often vulnerable to cyber attacks due to their reliance on outdated technology and insufficient security measures.
Recent data breaches in the healthcare sector have highlighted the seriousness of the issue. In 2020, the US healthcare sector saw a 55% increase in data breaches compared to the previous year, with over 26 million records compromised. The COVID-19 pandemic has also made the sector more vulnerable to cyber attacks, as healthcare providers have had to adopt new technology and remote working practices rapidly.
The Need For Cyber Security Strategy In Healthcare
Given the growing threat of cyber attacks in healthcare, it is crucial that the sector has a robust cyber security strategy in place. The new government strategy aims to provide just that, with a focus on improving the security of healthcare systems and protecting patient information.
The strategy includes a range of measures, such as improving security awareness training for healthcare staff, investing in new security technologies, and enhancing incident response capabilities. It also includes plans to establish a new Cyber Security Operations Centre (CSOC) for the healthcare sector, which will provide real-time threat intelligence and response to cyber-attacks.
The State Of Cyber Defense Implementation
According to a recent report, the implementation of cyber defense measures in U.S. critical infrastructure providers (CIPs) varies widely. While 84 percent of U.S. CIPs have deployed some degree of endpoint detection and response (EDR) and extended detection and response (XDR) capabilities within their enterprises, only 35 percent report having full capabilities deployed. The figure in the healthcare services sector is much lower, with only 21 percent claiming to have achieved full implementation.
Survey respondents identified a number of barriers to cyber defense adoption. Among the top barriers were “tender and bidding process challenges” (44 percent), followed by “lack of implementation expertise” (42 percent), “lack of leadership recognition of the need to invest” (39 percent), and a “lack of in-house staffing” resources, trusted vendor partners, and budget (30 percent).
Software Supply Chain Risk Management
In software supply chain risk management, 83 percent of healthcare services respondents reported having implemented some degree of policies and processes, but only 26 percent have fully implemented these measures. This compares to 37 percent of U.S. Peers in Critical Infrastructure Protection (CIP) overall and 31 percent of respondents from regional government services.
While 92 percent of healthcare respondents recognize the importance of software supply chain risk management, they also cite it as a difficult cybersecurity measure to implement. Respondents largely agree that there needs to be more oversight on how cybersecurity products themselves were developed and where.
Most respondents (83 percent) believe that the U.S. The majority of respondents, accounting for 83 percent, believe that higher software cybersecurity standards mandated by the U.S. federal government for government agencies would influence the software industry to improve its standards.
A significant majority of sector respondents (88 percent) also believe the government should mandate cybersecurity standards for software development. However, many respondents expressed concerns about the complexity and costs of implementing such standards and timelines.
COVID-19 Impact & Legacy
The COVID-19 pandemic has significantly impacted cybersecurity measures, with 88 percent of respondents reporting that the need to secure remote access to their enterprise resources became a more important issue. While 42 percent of sector respondents believe the hybrid remote work model is permanent, 34 percent are taking a wait-and-see position, and 25 percent believe it will fade.
Respondents also expressed support for the establishment of a U.S. Cybersecurity Safety Board similar to the U.S. National Transportation Safety Board. Most healthcare respondents (61 percent) believe the Cybersecurity Safety Board should focus on both public and private infrastructure, while only 48 percent of U.S. CIPs support this expanded role.
The Need For Continued Vigilance
While the government’s Cyber Security Strategy for healthcare is a significant step forward in protecting patient data, Trellix emphasizes the need for continued vigilance. Cyber Healthcare providers must remain up-to-date on the latest security measures to protect against them. In addition to implementing robust cybersecurity measures, healthcare providers must also establish comprehensive incident response plans to address potential security breaches.
A recent survey conducted by the Healthcare Information and Management Systems Society (HIMSS) shows that only 44% of healthcare organizations have a formal incident response plan. This is concerning, given the potential consequences of a security breach. Without an incident response plan, healthcare providers may not be able to respond quickly and effectively to a cybersecurity incident, leading to a greater risk of data loss or theft.
Trellix recommends that healthcare providers take a proactive approach to cybersecurity by implementing advanced security measures, regular penetration testing and vulnerability assessments, and establishing comprehensive incident response plans. By taking these steps, healthcare providers can reduce the risk of cyber-attacks and safeguard patients’ sensitive data.
Conclusion
The much-awaited National Cybersecurity Plan from the Biden administration has been released, and it aims to reassign cyber defense duties, boost cyber resilience, and thwart cyber threat operations. The five pillars comprising the document’s structure stand for five key focus areas: defending critical infrastructure, disrupting and eliminating threat actors, directing market forces toward security and resilience, investing in a resilient future, and creating global alliances to advance common objectives.
Each pillar has important consequences for companies that form vital infrastructure, including those in the healthcare industry. The National Cybersecurity Strategy specifically emphasizes prioritizing the Internet of Things (IoT) device security and shifting some cyber responsibilities from software users to vendors.
