The pandemic has made it abundantly clear that healthcare is a vital part of every country’s infrastructure. Protecting healthcare against cyberattacks is therefore in the best interest of governments. The consensus is that more financial incentives would be welcome, but not additional regulation.
Healthcare Cybersecurity Spending
According to a 2020 survey by Statistica, 42% of healthcare organizations spend only 1-6% of their total IT budget on cybersecurity:
The 2021 State of Cybersecurity Report: The COVID-19 Evolution research from HIMSS found that 73% of respondents believed their organization needed to increase spending on cybersecurity, but only 40% felt their organizations had the financial means to make the necessary investments.
Bottom line: Healthcare is not spending enough on cybersecurity.
Incentives and Standards
Healthcare IT Today spoke with a number of experts on the topic of cybersecurity in healthcare – and in particular how the government could and should get involved. The consensus was that without financial assistance, either through funding or other financial incentives like tax breaks, the healthcare industry would continue to lag behind in cybersecurity.
George Pappas, CEO at Intraprise Health, had this to say:
The idea of having some sort of “meaningful use” program for cybersecurity in healthcare is gaining momentum in the industry. There must be some type of minimum standard for cybersecurity preparedness to protect the massive amount of healthcare data that is exposed around the country. Many healthcare organizations struggle to achieve even minimum cybersecurity standards – for example, critical access hospitals don’t have the same access to personnel and technology that larger health systems employ. The same concepts behind meaningful use could be applied to this challenge: namely, provide financial support based on an incentive/required achievement framework to deploy progressive cybersecurity protections.
What is interesting about Pappas’s comment is “minimum standard for cybersecurity”. He is not suggesting that governments write a blank check to healthcare organizations, but that help be given to achieve an agreed upon minimum standard. Unfortunately, a generally accepted cybersecurity standard does not yet exist.
Regulation
On the topic of cybersecurity regulations, Jonathan Langer, Medigate Co-Founder and now COO of Claroty, responded with:
Regulation of complex industries, like healthcare, is a task the federal government has taken on with varying effects. Their foray into cybersecurity regulations should be cautiously decisive. The trick will be to give guidance, with useful incentives, that can keep up with the rapidly changing threat landscape and the tools used to combat it. The challenge is that regulation might cause some healthcare organizations to do enough to comply, but not maintain an adequate level of protection in the ever-changing cybersecurity landscape.
Langer went on to suggest that governments could help by:
- Tying Medicare/Medicaid reimbursement to cybersecurity metrics such as rapid remediation of threats, overall investment in cybersecurity, and alignment with prescriptive cybersecurity frameworks/guidelines such as HICP or NIST
- Requiring medical device manufacturers to meet minimum security requirements for FDA approval.
- Providing guidance to the cybersecurity insurance market, which could spur investment in better cybersecurity practices to achieve more favorable insurance rates and premiums.
Not Just Patient Data
It is important to remember that healthcare organizations do not just have an obligation to protect patient data, but staff data as well. Charlie Lougheed, CEO & Co-Founder of Axuall, stressed this in his statement to Healthcare IT Today:
Data security in healthcare, rightfully so, often focuses on the patient. However, security and privacy are also important to the millions of healthcare workers who serve these patients. Their credentials define their career, and as such, their ability to work in different care settings. It deserves the same encryption, privacy, authentication, and consent level as patient data.
There is little doubt that healthcare will be the target of more cyberattacks. Healthcare is both a high-value and soft target. Bad actors know that piercing the security measures of healthcare organizations is easier than banks and governments.
If healthcare is considered vital infrastructure, governments would be wise to work with industry leaders to create an incentive program that will help all healthcare organization invest in better cybersecurity.
