After the sensitive health information of some members of Congress and hundreds of congressional staffers was exposed last week by the DC Health Link data breach, the Senate Committee on Homeland Security and Governmental Affairs is exploring ways to prevent future cyberattacks.
“Cyberattacks on hospitals and other health care providers can cause serious disruptions to their operations and prevent them from effectively providing critical, lifesaving care to their patients,” Committee Chairman Gary Peters (D-Mich.) noted during a March 16 hearing on the matter. “Breaches can also lead to the exposure of sensitive personal and medical information of patients and health care personnel.”
DC Health Link, a health insurance exchange for Washington residents and lawmakers, was notified on March 6 that the Social-Security numbers and other personal data of more than 56,000 enrollees had been exposed on a public forum.
At least 17 members of Congress were reportedly affected.
Citing the incident and other recent attacks on health systems around the country, Peters added, “These relentless cyberattacks show that foreign adversaries and cyber criminals will stop at nothing to exploit cybersecurity vulnerabilities, our critical infrastructure, and most essential systems.”
But preventing and addressing such threats, according to the panel of cybersecurity experts assembled by the committee, can be difficult for a number of reasons.
Challenges Facing the Health Sector
Kate Pierce, senior virtual information security officer at Fortified Health Security, advised that the targets of health sector cyberattacks are often small, rural hospitals that lack the funding and staff to prevent and address them effectively.
“Most small facilities have no staff to be able to monitor,” she noted, stressing that 24/7 monitoring of networks is key to staving off attacks.
And those small facilities, she added, can also provide hackers with access to larger networks, if left unprotected.
“Most small hospitals are connected to larger tertiary care centers—we need a place to refer our sicker patients—so this is the path of least resistance for our cyber attackers,” Pierce explained. “When they’re trying to figure out how to get to those big systems, they’re coming in through our small hospitals.”
Meanwhile, Greg Garcia, executive director of cyber security for the Healthcare and Public Health Sector Coordinating Council, emphasized that the changing technological landscape of health care continues to introduce new challenges to preventing attacks.
“Consider that health care innovation is going direct to the consumer, to wearable home medical technology and telemedicine,” he said. “This expands the so-called ‘attack surface’ for connected technology outside the clinical environment, which is harder for hospitals to … remotely secure.”
Other complicating matters include mergers and acquisitions processes, which often include merging complex networks, and health systems’ reliance on cloud software for the storage of large amounts of data—an increasingly common occurrence—which can present a risk for greater exposure.
Meanwhile, foreign state actors continue to conduct a “daily barrage” of attacks against U.S. health systems like Corewell Health, according to Scott Dresen, the health system’s senior vice president of information security and chief information security officer.
The Path Forward
One way Dresen said the federal government could help health systems to defend against such attacks would be to become “more aggressive” against malign foreign actors and provide more real-time “actionable intelligence” to organizations in the health sector about the kinds of threats they need to be watching for.
Another step that the entire panel seemed to agree upon would be the establishment of a minimum standard for cybersecurity best practices.
“That threshold can and should continue to change through time … but having that minimum threshold would be incredibly helpful for organizations,” noted Stirling Martin, senior vice president and chief privacy and security officer at Epic Systems.
Lastly, Garcia stressed that a change in perspective on cybersecurity would benefit workers across all industries.
“We need to do a culture change,” he said.
“It’s been a cultural problem for as long as I’ve been in cybersecurity that everyone outside of the security team says, ‘Cybersecurity? That’s the security team’s job, not my job.’ …”No, it’s actually everybody’s job.”