Stakeholder groups representing tens of thousands of members and thousands of provider organizations responded to Sen. Mark Warner, D-Va.’s healthcare cybersecurity policy options, refining his strong ideas for cyberinsurance, incentive programs and other necessary resource options in hopes of much-needed Congressional support.
Cybersecurity is a shared responsibility, according to comments from the American Hospital Association, CHIME and the Association for Executives in Healthcare Information Security (AEHIS). Given the sophistication of many of these attacks, defending against them “is therefore more a matter of national security than an individual responsibility of organizing the private sector”.
“As a result, these situations should not result in sanctions for organizations,” the AHA wrote.
Prior to the release of Warner’s report, health officials had grown frustrated with the current rate of progress and what was seen as recycling past, successful efforts. As SC Media reported after its release, Warner’s ideas were seen as a breath of fresh air because they actually focused on issues with arguably the biggest impact in the industry.
Warner’s latest cybersecurity push for the sector couldn’t have come at a more opportune time. A large percentage of vendors are exhausted after the pandemic, while facing staffing challenges amid “a war waged by cybercriminals”, according to CHIME and AEHIS.
“Now is the time for Congress to act,” wrote CHIME and AEHIS. “The groups pledged to improve the sector’s posture and reduce overall risks, but stressed that they ‘cannot do it alone’.
The federal government must act to direct more money to regulators for cybersecurity programs, consider implementing a catastrophic cyberinsurance program, and shift to an incentive program, rather than penalty-based policies.
The current cyber insurance model needs an overhaul
A recommendation shared among these important stakeholder groups is cyber insurance coverage, or lack thereof, which has become a growing concern for healthcare providers due to rising tariffs and standards required to even get a font.
At a Healthcare Information and Management Systems Society (HIMSS) event this week, Anahi Santiago, CISO of ChristianaCare – a provider organization among the top 1% of healthcare entities in “cyber-haves” – spoke shared his own experience with the cyber renewal process. Despite a very healthy cyber budget and full implementation of requirements, their cyber insurance premiums increased by 43%.
“Based on what’s being asked of us, I know there’s absolutely no way the other 99% of healthcare organizations can afford the investments that are being asked for,” Santiago said at the time.
The critical insurance issues were created by the continued targeting of health care by foreign actors and should then be viewed as a national security threat beyond health care’s control, according to the AHA. As such, the government should create a “reinsurance program” to help victims of high-impact cyberattacks, in the same way that victims of international terrorist attacks would be supported.
For CHIME and AEHIS, the way to combat this untenable situation is to create a federal catastrophic cyber-insurance program capable of offsetting “the extremely high costs” faced by provider organizations, which can “act as a safety net for those who cannot obtain insurance on the open market”. market.”
The AHA agreed that initiating a “cyber disaster relief program” is “an inherent public health and safety interest” because it would provide relief to cyber victims from health care during and after an incident” through the provision of financial, technical and human resources.”
Bill Bernard, assistant vice president of security strategy for Deepwatch, previously shared with SC Media another way to mitigate these issues: centering incentive programs around cybersecurity insurance, or through a cybersecurity program. at reduced cost for entities that are difficult to insure, such as healthcare, only if they meet the required security criteria.
Any one of these ideas or a combination could limit the current insurance debacle, but at a minimum, stakeholder groups stressed that the federal government should also provide stricter oversight of private online insurance companies. .
Where can incentives have the greatest impact on health care?
As SC Media reported on the heels of the report, Warner’s suggestions were seen as a significant moment, particularly around an incentive package. CHIME and other groups have long recommended this approach as a way to avoid penalizing struggling vendors who impose industry-standard requirements, but who have fallen victim to a cyberattack despite these efforts.
The Safe Harbor Act released in January 2021 created the means to incentivize provider organizations to meet cybersecurity best practice requirements instead of massive monetary penalties. Warner’s approach is inspired by Meaningful Use, a policy that spurred providers to embrace electronic health records and led to widespread adoption.
“A voluntary cyber-incentive program is needed to help offset the investments healthcare providers need to improve their cyber posture and reduce risks to patient safety and national security,” according to CHIME.
For the AHA, financial incentives for small entities should focus on developing resources to assimilate cyber threat intelligence, identify IOCs, and apply recommended technical measures, in addition to qualifying grants for vendors who strive Adopt the technology and practices described in the NIST Cybersecurity Framework. and the healthcare-specific guide known as the 405d.
CHIME agreed that a grant program targeting small, medium and underfunded vendors will indeed help address immediate cybersecurity needs. The group went a step further by suggesting that political incentive levers “should take priority over sanctions and punitive structures.”
“Congress should change the penalty structure for health care providers under the Health Insurance Portability and Accountability Act who experience a cyber incident to make it less punitive,” according to CHIME. “Healthcare providers – especially those that are small and under-resourced – should not be forced to continue to bear the full burden of cybercrimes.”
Additionally, “The Stark and Anti-Kickback Policies should be amended to expand the category of technology types eligible for donation and prohibit recipient donors from taking legal action against their donor in the event of a cyber incident”, they added. There is also a need for a ‘cash for clunkers’ program for healthcare providers and ‘not for device makers’.
Additionally, as the government seeks to develop a workforce training program specific to healthcare cybersecurity and other workforce programs, “providers would also benefit from incentives financial or government-contracted cybersecurity entities to enter into contracts with third-party cybersecurity service providers,” the AHA wrote.
The AHA also recommended that incentives be directed to threat intelligence-sharing organizations such as Health-ISAC, given its importance to industry priorities, while CHIME believes Congress should allocate more funds to the Department of Health and Human Services for its Cybersecurity Coordination Center, ASPR, the 405(d) industry support program.
#Healthcare #Stakeholders #Assurance #Incentives #Key #Warners #Cybersecurity #Plan