Why HHS’ Cybersecurity Concept Paper Falls Short for Healthcare

The following is a guest article by Chris Bowen, Founder and CISO at ClearDATA

The recent Cybersecurity concept paper from HHS, while a gesture towards progress, falls critically short of what’s imperative in today’s climate. In an era where the HHS itself notes a 93% increase in large healthcare data breaches from 2018 to 2022, as well as a 278% increase in those that involve ransomware, suggesting “voluntary cybersecurity goals” is akin to applying a band-aid on a hemorrhage. It’s time for HHS to mandate and enforce rigorous, prescriptive cybersecurity standards.

First and foremost, if you’re treating patients, there should be a clear mandate for certain minimum cybersecurity standards. For example, in the healthcare industry, we have to abide by HIPAA — a law that helps protect the privacy and security of people’s health information. We can’t serve our patients if we don’t ensure that protected health information (PHI) is kept private.

For healthcare organizations, and those organizations that support healthcare, some minimum cybersecurity standard mandates should include not simply addressable, but required encryption, and in flight with up-to-date encryption algorithms. Implementing granular role-based access, multi-factor authentication (MFA), network segregation, and robust and effective disaster recovery measures that are tested regularly can also help increase resiliency should a ransomware attack occur.

The HHS also outlines its intentions to seek funding from Congress to provide the necessary resources to protect our health system. I agree that healthcare organizations can definitely use the resources, as they are faced with reduced margins. Moreover, the sector’s talent gap in cybersecurity is no secret, and it places our hospitals at a disadvantage, jeopardizing patient safety.

To help close this talent gap, Senator Mark Warner from Virginia, who co-founded the bipartisan Senate Cybersecurity Caucus in 2016, in his policy paper, Cybersecurity is Patient Safety, calls for Congress to, “consider establishing a workforce development program that focuses specifically on healthcare cybersecurity, due to cybersecurity workforce shortage happening across industries,” among other industry-incentivizing programs. It’s new approaches and ideas like these that will build a skilled workforce that is ready to protect the healthcare delivery system from existing and future cybersecurity threats.

The HHS goes on to propose a strategy to support greater enforcement and accountability. The last thing resource-constrained hospitals need for accountability are more fines because a bad actor infiltrated their systems while they are trying to serve patients – and then pass along those costs to patients.

Instead of playing defense by extracting funds from the healthcare system – which also penalizes the hospital systems by further reducing resources to protect against cyber-attacks – we need to play offense and look at how we can take bad actors offline before they have a chance to attack.

Finally, the HHS looks to expand and mature the healthcare cybersecurity support function within the Administration of Strategic Preparedness and Response (ASPR). Here I agree – we can use all the help we can get. Protecting lives extends beyond the physical realm; it encompasses shielding patients from the lethal threat of cyber-attacks. To accept minimum, voluntary standards is to tacitly endorse a status quo that endangers our patients. This isn’t just about data; it’s about lives. The time for half-measures is over. We owe it to our patients to fortify our defenses with the utmost urgency and resolve. They depend on us in their most vulnerable moments; we cannot let them down.

About Chris Bowen

Chris is the Founder and Chief Information Security Officer at ClearDATA. He leads ClearDATA’s internal privacy, security, and compliance strategies as well as advises on the security and privacy risks faced by customers, which include global healthcare organizations, health insurance companies, providers, life science companies, and market-leading innovators from Asia Pacific, North America, and Europe. Mr. Bowen also leads ClearDATA’s international security risk consulting practice and has provided counsel to some of the world’s largest healthcare organizations.

He is a Certified Information Privacy Professional (CIPP/US) and Certified Information Privacy Technologist (CIPT) from the International Association of Privacy Professionals (IAPP), and Certified Information Systems Security Professional (CISSP) and Certified Cloud Security Professional from (ISC)2. As one of the leading experts on patient privacy and health data security, Chris has authored dozens of articles and is a frequent speaker at national healthcare industry events.

Get Fresh Healthcare & IT Stories Delivered Daily

Join thousands of your healthcare & HealthIT peers who subscribe to our daily newsletter.