The threats facing the healthcare industry have shifted dramatically in the 20 years since the attacks of Sept. 11, 2001. While bioterrorism remains a significant risk, cybersecurity has emerged as a preeminent concern as cyberterrorists and the proliferation of internet-connected devices continue to outpace the industry’s ability to protect itself.
It’s been four years since the Healthcare Industry Cybersecurity Task Force issued the last major report to Congress detailing vulnerabilities facing the industry and recommendations for combating them. Most of the ideas would sound familiar to anyone who’s been following the issue closely, as it appears little has changed in the intervening years.
“Based on my conversations with hundreds of hospital and health system leaders and board directors across the nation, all those leaders consistently view cybersecurity as a major enterprise risk issue and generally rank cyber risk within the top 3 enterprise risk issues, often many will cite it as their #1 risk concern,” John Riggi, senior adviser for cybersecurity and risk for the American Hospital Association, said in an email.
But many organizations don’t have enough money to upgrade their cybersecurity infrastructure—or aren’t allocating sizable portions of their budgets to those defenses. Nearly half of healthcare cybersecurity professionals said cybersecurity made up no more than 6% of a healthcare organization’s IT budget, according to a 2020 survey by the Healthcare Information and Management Systems Society. That figure is essentially unchanged from 2018, and some organizations have cut their cybersecurity funding in response to falling revenue during the pandemic. More than 60% of organizations don’t have an effective system in place to detect patient safety issues related to security incidents, according to HIMSS.
Download Modern Healthcare’s app to stay informed when industry news breaks.
Still, data on cybersecurity spending needs to be taken with a grain of salt, Riggi said.
“There is not a specific formulaic approach to cyber expense characterization. For example, one organization may characterize firewall expenses as part of the cyber budget and another may characterize such an expense as part of the IT infrastructure budget,” he said.
Setting priorities
Congress established the task force under the Cybersecurity Act of 2015, directing HHS to convene a team of federal officials and private sector leaders to meet the growing challenge of cyberattacks targeting a fragmented and vulnerable healthcare system.
“The healthcare industry in the United States is a mosaic, including very large health systems, single physician practices, public and private payers, research institutions, medical device developers and software companies, and a diverse and widespread patient population. Layered on top of this is a matrix of well-intentioned federal and state laws and regulations that can impede addressing issues across jurisdictions,” the report said.
An overreliance on outdated legacy software and equipment and the rapid adoption of connected but susceptible devices and systems meant that healthcare cybersecurity was in a dismal state in 2017, the task force said at the time. Moreover, a dearth of cybersecurity professionals and resources had left health systems and insurers largely defenseless against the scourge of cybersecurity threats.
“These organizations often lack the infrastructure to identify and track threats, the capacity to analyze and translate the threat data they receive into actionable information and the capability to act on that information,” the report said.
The 21-person team put forth six priorities for addressing cybersecurity across the public and private sectors, including better information-sharing about threats. The task force also called for a new healthcare-specific cybersecurity framework, which hasn’t materialized yet.
“HIMSS has been very vocal about the need to leverage the (National Institute of Standards and Technology’s) framework and we’ve called on NIST to work with the health sector to develop a health sector specific ‘subsection’ of the NIST Cyber Security Framework,” Tom Leary, senior vice president of government relations for HIMSS, said in an email. But since that has yet to happen, he said HIMSS has been working closely with NIST on education and outreach to the industry about the broader framework and how it could be applied to healthcare settings.
Theresa Meadows, chief information officer for Cook Children’s Health Care System, agreed, noting that the healthcare industry has been working closely with NIST to make sure its standards account for the needs of providers and insurers.
“There has been a lot of great work done there,” said Meadows, who co-chaired the HHS task force.