The uptick in malevolent data breaches at hospitals has been a worrying trend for the U.S. health system. From 2018-2022, there has been a 93% increase in large breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) (369 to 712). The 278% increase in large breaches involving ransomware was especially concerning, according to data from the Department of Health and Human Services’ Office for Civil Rights.
In response to the upward trend in these attacks and the risks they pose to patient care, the Department of Health and Human Services, through the Administration for Strategic Preparedness and Response, released voluntary health care specific cybersecurity performance goals (CPGs) last month as well as a new gateway website. They are intended to help healthcare and public health sector organizations implement high-impact cybersecurity practices and ease access to the considerable cybersecurity resources HHS and other federal partners offer.
The CPGs include 10 essential goals and 10 enhanced goals
The 10 essential goals include:
- Mitigate known vulnerabilities that could be exploited by bad actors
- Reduce risk from common email-based threats, such as email spoofing, phishing, and fraud
- Add multi-factor authentication to protect assets and accounts directly accessible from the Internet
- Provide basic cybersecurity training
- Deploy strong encryption
- Revoke credentials for departing workforce members, including employees, contractors, affiliates, and volunteers
- Provide basic incident preparedness and planning to ensure safe and effective organizational responses to, restoration of, and recovery from significant cybersecurity incidents
- Use unique credentials inside organizations’ networks to prevent attackers from moving across the organization
- Separate user and privileged accounts
- Identify, assess, and mitigate risks associated with third party products and services
Mari Savickis, Vice President of Public Policy with CHIME, will be moderating a panel discussion as part of the Cybersecurity Pavilion at the ViVE 2024 event in Los Angeles, scheduled for February 25-28. She said her organization anticipates several developments addressing cybersecurity this year.
To register for ViVE 2024, click here.
“We know HHS is re-opening the HIPAA Security Rule this fall and it is widely anticipated that we will see CPGs make an appearance in there. We are also watching for any possible requirements included in Medicare Conditions of Participation (CoP). While we strongly support improving the cyber posture of our sector, we believe using the CoP is not the way to tackle this,” Savickis said in an email.
Savickis added that during her panel discussion, speakers on the panel who are members of the Health Sector Coordinating Council’s Cybersecurity Working Group (HSCC CQG) will be making a big announcement. The announcement is intended to help improve the posture of the health sector by working together. This effort is led by Greg Garcia, executive director, Erik Decker, chair, and Chris Tyberg, the vice chair of the working group.
Here’s a look at some of the sessions that will be featured at the Cyber Pavilion at ViVE 2024 in the Los Angeles Convention Center. The sessions are scheduled for Monday, February 26, through Tuesday, February 27.
Bridging the Cybersecurity and Healthcare Chasm
The increased reliance on technology harbors inherent risks, especially for the healthcare sector, which is considered highly vulnerable to cyberattacks. With so much to lose in its databases, coupled with limited resources on staff, the healthcare sector is a prime target. Between the reliance on telehealth that took shape during Covid-19, the sensitive data that online medical records hold, and the incredible technological advances that keep people alive, our medical community is under immense pressure to keep patients safe online and in person. Deputy Director Nitin Natarajan of the Cybersecurity and Infrastructure Security Agency will discuss what makes the healthcare sector so susceptible to cyberattacks, what those in healthcare can do to prepare and what CISA has to offer in terms of free resources.
Time: 9 am to 9:45 am Monday, February 26
Healthcare Cybersecurity 2029: From Critical to Stable Condition in Five Years
In 2017 an HHS task force diagnosed healthcare cybersecurity to be in “critical condition” because of relentless cyber attacks on the healthcare system that cause patient safety, financial, operational and public confidence impact. In 2024 the Health Sector Coordinating Council – the industry-run critical infrastructure advisory council to the federal government and the health sector, is releasing its five-year Health Industry Cybersecurity Strategic Plan as a wellness formulary for how the industry can upgrade its security and resiliency prognosis from “critical” to “stable.” Forged over 18 months by health sector leaders in consultation with government partners, the Strategic Plan identifies the cybersecurity challenges posed by broad trends in the healthcare industry over the next five years and how we need to prepare for them. The leadership of the HSCC and government officials will take the stage to discuss the strategy with a call to action to the health industry to invest in the collective imperative that “cyber safety is patient safety”.
Moderator: Mari Savickis, VP Public Policy with CHIME
Speakers:
- Greg Garcia, Executive Director (HSCC), Health Sector Coordinating Council, Cybersecurity Working Group
- Erik Decker, CISO, Intermountain Healthcare, Chairman of Health Sector Coordinating Council, Cybersecurity Working Group
- Chris Tyberg, CISO, Abbott, Vice Chairman of Health Sector Coordinating Council, Cybersecurity Working Group
- Linda Ricci, Deputy Director, Office of Strategic Partnerships and Technology Innovation, FDA
- Brian Mazanec, Deputy Assistant Secretary, Office of Security, Intelligence, and Information Management, HHS
Time: 9 am— 9:45 am, February 27
Spiders, and Pandas, and Bears (and Adversarial AI!): An update on the bad guys attacking healthcare
Embark on a journey through the historical evolution of healthcare as a prime target for cyber threats as we explore artificial intelligence and cybersecurity. Plunge into the intricate details of cyber adversaries, exploring their organizational structures and increasing sophistication, with a focus on their utilization of AI to exploit data. Gain valuable insights into crafting robust security programs capable of effectively thwarting breaches, as we discuss innovative ideas and strategies to fortify healthcare systems against the evolving landscape of cyber threats. Join us for an engaging exploration that aims to empower professionals in building resilient defenses against the dynamic challenges posed by cyber adversaries in the realm of healthcare.
Speaker: Todd Felker, Executive Healthcare Strategist @ CrowdStrike
Time: 10:05 am to 11:05 am
Authors of “AI and Cybersecurity Handbook for Healthcare Boards”
These authors are partnering with leaders in diverse healthcare fields to create a series of guidebooks for boards, venture capital, informatics, and physician leaders aimed at improving Health, Care and Cybersecurity. The Trustworthy Technology and Innovation in Healthcare book series coming from publisher Taylor & Francis, is built to onboard technical and business leaders to the regulated sector of healthcare while upskilling clinicians and building trust, respect, and shared language, objectives across medicine, IT, legal, and cybersecurity–built by dozens of the brightest minds internationally across medicine, hospital administration, IT, business, engineering/bioengineering, information security, privacy, law, informatics, leadership, and project/program management. They’re resources to industry-leading standards and certification, designed to help health systems, medical device companies, investors, and other stakeholders identify and drive ongoing success with technology and innovation.
Speakers:
- Keith Duemling, Sr. Director of Cybersecurity Technology Protection, Cleveland Clinic
- Brad Marsh, EVP Government Health Security & Technology, First Health Advisory
- Mari Savickis, VP of Public Policy, CHIME
Time: 5pm to 6pm, Tuesday February 27
To register for ViVE 2024, click here.
Photo: Traitov, Getty Images