Healthcare industry representatives are calling on Congress to establish minimum cybersecurity standards for their sector, arguing that the current wholly voluntary approach is failing clinics and hospitals.
Experts say cybersecurity gaps are widest at small rural hospitals, where staff are scarce and under-resourced.
Implementing security best practices that are only contained in voluntary guidance is simply not on the radar of such under-resourced hospitals, which are also contending with a barrage of other major challenges.
Therefore, without minimum standards, these facilities will not prioritize cybersecurity over other pressing needs in their strained budgets.
Stirling Martin, Chief Privacy and Security Officer at Epic Systems, stated that there is no shortage of best practice documents.
Still, sifting through all of them and setting priorities is not an easy task, and one of the things that the government can do to help is to establish a minimum threshold for security best practices.
Kate Pierce, who served for 21 years as CIO and CISO at North County Hospital, a 25-bed community hospital in Vermont, testified that staff at rural hospitals are scarce and stretched thin.
It is extremely rare to find individuals specifically assigned to handle security at those facilities.
Pierce argues that the healthcare industry needs help from the federal government to respond more effectively to the increasing frequency of attacks from nation-state actors and organized crime groups.
Scott Dresen, CISO of Corewell Health, the largest integrated health system in Michigan, states that the healthcare industry needs to make more of the actionable intelligence available to them.
The US government has actionable intelligence that would be of immediate value to the healthcare sector.
While there is some degree of automated intelligence sharing, there needs to be more of that intelligence accessible.
Garcia, executive director of cybersecurity for the Health Sector Coordinating Council, said that financial support to help organizations get involved with the Health Information Sharing and Analysis Center or other information-sharing organizations would benefit many entities that don’t currently participate in intelligence sharing.