On Dec. 6, the Department of Health and Human Services (HHS) released a paper entitled “Healthcare Sector Cybersecurity: Introduction to the Strategy of the U.S. Department of Health and Human Services,” outlining the department’s vision for cybersecurity preparation in healthcare.
HHS will take the following concurrent steps to build on the aforementioned actions and advance cyber resiliency in the healthcare sector:
1) Establish voluntary cybersecurity performance goals for the healthcare sector
2) Provide resources to incentivize and implement these cybersecurity practices
3) Implement an HHS-wide strategy to support greater enforcement and accountability
4) Expand and mature the one-stop shop within HHS for healthcare sector cybersecurity
With regard to item number 1, HHS noted that, “Currently, healthcare organizations have access to numerous cybersecurity standards and guidance that apply to the sector, which can create confusion regarding which cybersecurity practices to prioritize. HHS, with input from industry, will establish and publish voluntary sector-specific cybersecurity performance goals, setting a clear direction for industry and helping to inform potential future regulatory action from the Department. The Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (HPH CPGs) will help healthcare institutions prioritize implementation of high-impact cybersecurity practices. HPH CPGs will include both “essential” goals to outline minimum foundational practices for cybersecurity performance and “enhanced” goals to encourage adoption of more advanced practices.”
On that same date, the leaders of the Chicago- and Washington, D.C.-based American Hospital Association (AHA) responded in a policy brief posted to their website. They stated that “The Department of Health and Human Services Dec. 6 released a concept paper outlining its cybersecurity strategy for the health care sector, which builds on a national strategy President Biden released last year. The paper calls for proposing new cybersecurity requirements for hospitals through Medicare and Medicaid; publishing voluntary health care-specific cybersecurity performance goals; working with Congress to develop funding and incentives for domestic hospitals to improve cybersecurity; developing enforceable cybersecurity standards; and strengthening the coordination role of HHS” Administration for Strategic Preparedness and Response as a “one-stop shop” for health care cybersecurity.”
And the brief included a statement from Rick Pollack, the association’s president and CEO, who said that “Hospitals and health systems have invested billions of dollars and taken many steps to protect patients and defend their networks from cyberattacks. The AHA has long been committed to helping hospitals and health systems with these efforts, working closely with our federal partners, including the FBI, HHS, Cybersecurity and Infrastructure Security Agency and many others to prevent and mitigate cyberattacks. Responding today to HHS’ ‘Concept Paper’ on strategies for enhancing health care cybersecurity, the AHA welcomes the investment of federal expertise and funding in protecting hospital and health system patients from heinous attacks on critical health care infrastructure,” Pollack stated. “However, this fight is largely against sophisticated foreign-based hackers who often work at the permission of and in collusion with hostile nation states. Defeating these hackers requires the combined expertise and authorities of the federal government.”
“The AHA cannot support proposals for mandatory cybersecurity requirements being levied on hospitals as if they were at fault for the success of hackers in perpetrating a crime,” Pollac, continued. “Many recent cyberattacks against hospitals have originated from third-party technology and other vendors. No organization, including federal agencies, is or can be immune from cyberattacks. Imposing fines or cutting Medicare payments would diminish hospital resources needed to combat cyber crime and would be counterproductive to our shared goal of preventing cyberattacks. The AHA will continue to work with the federal agencies and Congress to develop and advance policies to protect patients, data and health care services from cyberattacks.”
To parse the meaning of this exchange, and its implications for hospital-based organizations going forward, Healthcare Innovation Editor-in-Chief Mark Hagland spoke with Mac McMillan, former founder and CEO of the CynergisTek consulting firm (now part of Clearwater), and a healthcare cybersecurity adviser. Below are excerpts from their interview.
Looking at HHS’s policy announcement, and the AHA’s response to it, what is your overall reaction?
It doesn’t totally surprise me that they took this approach at the AHA; their constituent is the hospital. And they basically said, we’re a victim, we can’t be held accountable—which is nonsense, right? There are different levels of victimization. Everybody can be subject to a cybercrime; there is no immunity to cyber incidents, no matter how big or small, rich or poor you are, how much you’ve spent on cybersecurity. Everybody is the focus of cyberattacks.
But there is a difference between those who have done everything they can do, but are still victims; and in that scenario, I would argue that yes, enforcement in the form of penalties is inappropriate. If an organization has done everything that is reasonable, and they still suffer an attack, don’t add insult to injury by piling on penalties; that’s not right. But in cases where someone suffers a cyber attack because they haven’t done what they should have, or suffer a greater impact because of something they haven’t done, I would argue that penalties are appropriate. As the leader of a business, you have the responsibility to make sure your security is viable. And if you went up to any person in America who would be a potential patient and said, do you feel your hospital has no obligation to do anything about cybersecurity, I think every person would say, yes, I want my hospital to do its best; I want them to protect my data and protect me.
That brings to mind for me an analogy. Let’s say you open a 7-Eleven convenience store. Wouldn’t you be expected to install an alarm system, surveillance cameras, and locks on the doors, that kind of thing?
Exactly that. If you open a convenience store and your store is robbed, you’re still a victim, but would it be responsible to do nothing to protect yourself? No. We know that convenience stores get robbed all the time, so you would expect them to have alarms, cameras, panic alarms, etc. Not doing so would not rise to the level of reasonable management. The irony of this, though—and I’m giving them the benefit of the doubt—I don’t think that the AHA meant that zero cyber protection was their point. And this is a political minefield. I’m guessing that the AHA threw a big, fat landmine out into the middle of the field, and they’re waiting for someone to step on it. I genuinely don’t believe they meant their message the way it sounds. That said, it doesn’t change the tenor of the message or the way it’s being received by people. And what they’ve said is that anybody could be a victim, and we shouldn’t be held responsible for being a victim; I agree with that part 100 percent: don’t hold organizations responsible for experiencing an incident; hold them responsible for lack of preparation. Don’t hold a convenience store owner accountable for being robbed; hold the convenience store owner responsible for not being prepared.
Can we realistically set minimum nationwide standards for cyber preparedness in patient care organizations?
We absolutely can set minimal standards for cyber preparedness. Most smart cybersecurity professionals have been saying for well over a decade that HIPAA is not adequate; it was created in the last decade of the 20th century, and has never been updated, whereas every cybersecurity standard has been updated. We have mobile devices, tablets, cloud, telehealth, now, all things that didn’t exist when HIPAA was created. So HHS has said, we need to update the HIPAA security rule. I would argue that that’s not the right approach; I would say they should scrap the HIPAA security rule and just adopt the NIST standard. Quit futzing around, adopt a legitimate rule. Even confidential unclassified information, CUI, in the federal government by NIST 800-171. It’s a compilation of controls from the NIST 800-53 family to address confidential but unclassified information.
The point is that every industry out there, and every part of the government, is now using the NIST standard as their basis for building an adequate program. And many healthcare organizations are following that standard, and it should be. So that part of the HHS proposal is weak; I think they should scrap HIPAA for security and go with the NIST standard. And the reluctance to do it is simply coming out of this attitude that that will cost patient care organizations money.
But they have been doing so already, and the fact of the matter is that they’re going to have to continue to do so, because it’s part of the cost of doing business. If you’re a digitized, automated industry, as healthcare now is, you’ve got to protect that kind of business. You’ve got a generation of doctors that have practiced only in electronic systems. And frankly, I think it’s irresponsible for healthcare to say that cyber is costing too much; there’s no “too much”; whatever you’re spending in order to achieve a level of resilience to be a viable business, that’s what you need to spend.
Part of the problem is that still today we don’t treat information and information systems with the priority or the value that they represent. That’s part of it; but I think that AHA’s position is being misquoted at the moment by a lot of people who are reacting to their drawing a line in the sand. And here’s the problem: when AHA comes out and says we don’t think hospitals should be held responsible, every CEO in healthcare says, I just got a big umbrella held over my head.
My theory is that many of these smaller and rural hospitals will ultimately have to be absorbed by larger health systems, because the smaller and rural hospitals absolutely lack the resources and expertise to manage the cyber challenges on their own. Your thoughts on that?
Yes, I absolutely think that for healthcare to take on this challenge, it will create opportunities for that to happen, because you’re right, if organizations say, woe is me, I’m a poor, small or rural hospital, and we’re not going to come up with inventions that will provide them with what they need, at some point, they’re either go out of business, or become part of a larger entity. We saw that in banking in the 1990s: the smaller banks were gobbled up by the regional banks who were gobbled up by national banks. And most of the kids who are under 30 today, have never walked into a bank. You don’t need localization. Things happen in industries. And it’s reasonable to think that consolidation will be accelerated. I still don’t believe that that’s the best solution; the problem with small hospitals selling themselves to larger hospitals is that sometimes, they go away; the big hospital just puts a clinic there and eliminates the cost, because at the end of the day, they’re a business. And the problem is that the people in that rural area suffer as a result.
There are things that can mitigate that, with regard to infrastructure. If you’re living in Mule Shoe Texas, and you’re two hours away from a large hospital and you have a heart attack or a stroke, I’ve got fifteen minutes to help you. And if you don’t have a hospital nearby, we need to get you to where you need to get you to. Telehealth has already made a dent in terms of heart attack-related deaths. These rural hospitals serve such an important role in taking care of the people who live in those communities, so that whatever solution we come up with, has got to take the patient into account. So I’m not a fan of all this consolidation, to some degree; I’m not sure that we’ll get it all right.
Meanwhile, one of the other things the AHA talked about was that, because a lot of the things that happen related to third-party vendors, they said, the hospital can’t be held accountable for that, and that’s nonsense, too. That’s like saying I’m not responsible for who I allow into my home. And they talk about this Health PTI initiative, and I’m like, guys, we’ve been doing third-party risk for decades; I did it back in the 1990s for the federal government. But we established not only standards for how third-party assessments would be conducted, but we also established standards for the technologies that we would allow to connect to our systems. So the first thing a vendor would have to do would be to meet a standard for their application, before it could be purchased by a government entity. And second, they had to go through an evaluation to determine whether they were secure enough or not. And we shared that evaluation across the entire federal government.
It wasn’t like a bunch of independent hospitals using different companies to do their third-party assessments, or doing them themselves. And the assessments aren’t standardized or shared. So Hospital B assesses a company that Hospital A has already assessed. And companies do suffer fatigue; if you’re doing 100 hospitals, you go through 100 different assessments. But we have systems for credentialing doctors nationwide; we have systems for credentialing hospital visitors. Why in the world can’t we create a centralized hub for security reviews of vendors that every hospital can pay a small subscription to and have access to that data? It will lower the cost of third-party assessments. And a couple of the companies who are in this 3PT initiative are benefiting from the lack of consistency. Let’s stop the train. If the AHA wants to do something really constructive, they should come up with solutions that fit healthcare, that simplify challenges. Come up with what security should look like, and what third-party vendor assessments should look like; come up with a standard for creating a rural hospital network for security.
What do you think will happen, on a policy level, coming out of all of this?
If I were HHS, I would say, we agree with the AHA, anybody can be a victim, which is why we have incentives for organizations that embrace security, but those organizations that choose not to do the responsible thing and make it easier for cybercriminals to attack them or make it more impactful when they are breached, should be held responsible. There are degrees of victimization. We are all subject to being the victim of a cyber attack. What’s different is our ability to avoid it, diminish it, mitigate it, respond to it. And when you start talking about penalties, they ought to be focused on lack of responsive action. Somebody who does not implement multi-factor authentication on mail accounts and they get hit by a phishing attack—do I really have to tell you to do that in 2023? Now, if you have mail gateways, firewalls, spam filters, MSA, and strong passwords and you still get it somehow with an attack that’s successful—I’m not going to find out at fault for the incident; that would not be fair.
The AHA will ultimately have to negotiate some set of rules, with HHS, correct?
That’s probably realistically what will happen. If I were HHS, though, I wouldn’t negotiate at all. I would say, I agree with you, everybody can be a victim, and in those instances where the entity has done everything to manage the risk, they won’t be penalized; but in regard to organizations that have not prepared, we owe it to the patients to hold that organization accountable for not doing what they should have done; and that is a very reasonable approach for us to take, and we don’t buy into the idea that it was initiated via a third party or was a nation-state actor that perpetrated the attack, we no longer have no responsibility whatsoever to protect ourselves. And by the way, if third-party service providers are the concern we say they are, then let’s build a nationwide database that every vendor has to be registered into, and let’s share the data nationwide to lower the cost of healthcare and the cost of cyber protection.
If I had a national certification that I could apply for, it would only cost me once to go through the evaluation and get the certification, and as a vendor, it won’t cost me a hundred times. And every hospital organization in the country would be paying a low subscription fee to participate in the system. This is not rocket science, guys! We’ve done this before; physician credentialing is now standard.
And we do it with hospital visitors. The DoD has a CMMC program—Cybersecurity Maturity Model Certification program—that certifies vendors working outside the classified information system. And every vendor that wants to be certified, can pick a level, and participate in the assessment process; and their assessment, when completed, is forwarded to the CMMC central hub. So the DoD and five military services, can go to the CMMC site and look up the vendors and see their certification. That same system can be created for healthcare vendors.