Despite healthcare’s unique vulnerability in the area of cybercrime, cyber security has proved challenging to enforce. However, the legal system is pushing for a change. On November 3, 2022, the Senate proposed legislation in a bill known as SB 3904. This bill, if passed, would tie cyber security measures to reimbursement for medical professionals and establish a framework for enforcing secure practices. This bill would also require hospitals to adhere to a list of predefined security requirements in order to participate in the Medicare program.
Why legislation might be the answer
The healthcare industry is notoriously behind schedule in its current state of cyber-readiness. However, the current lack of compliance is not due to a lack of understanding. Despite widespread knowledge of the importance of cybersecurity, adoption in medical settings is still mixed. Why? Healthcare is heavily reliant on legacy technologies.
Many medical devices are built with proprietary coding and run on older operating systems, which can go as far back as Windows 7. Further updates to the software can render equipment unusable and force healthcare facilities into purchasing new equipment. Budget and access to quality equipment pose unique challenges for small or rural healthcare providers, affecting the quality of healthcare available to patients at these clinics.
Since there have been few top-down initiatives addressing healthcare’s need to upgrade their cyber-health, the adoption of current guidelines has been mixed and still leaves much to be desired.
SB 3904’s approach to cyber security
Updating medical devices is expensive and often requires new training for staff, which is unappealing as an option when medical professionals are already working at max capacity. Instead of addressing the issue from a higher level, many medical facilities have been managing the current risks with other approaches. Staff training on cyber security and network security These practices lessen the chances of a cyber attack, like disallowing unapproved internet access, but these measures are still incomplete.
In order to incentivize healthcare providers to upgrade their cybersecurity practices, the Senate has proposed including cybersecurity expenses in their Medicare payments. The text of the bill states that “Data reported to the Department shows that almost every month in 2020, more than 1,000,000 people were affected by data breaches at healthcare organizations. Cyberattacks on healthcare facilities rose 55 percent in 2020, and these attacks also resulted in a 16 percent increase in the average cost of recovering a patient record in 2020, as compared to 2019.”
The proposed legislation would require specific training for healthcare workers on understanding and mitigating cybersecurity threats. This training will be overseen by the Cyber Security Advisors and Cyber Security State Coordinators of the agency in collaboration with healthcare experts in the private sector. When enacted, the training would ensure that healthcare professionals learn the risk factors, potential impacts, and response mechanisms for dealing with cyber attacks. While up-to-date technology in medical equipment addresses one aspect of cyber security, the second and arguably more important part is the facility's staff.
In addition, it would provide that the director of CISA studies and reports on the risks of cyber attacks to the healthcare sector a year after the law's implementation. One notable detail is that this report would include specific information on how it impacts rural and small to medium-sized healthcare facilities. Some of the specific topics covered include barriers to obtaining up-to-date machinery for their facilities. Being limited to older technologies dramatically increases the risk of vulnerabilities.
The legislation would also require a joint effort from advisors and government leaders to create an action plan for what must be done before, during, and after a cyber attack. These entities would establish detailed reporting on how the lack of staffing in healthcare affects cyber security risks and determine the most effective and timely ways for them to convey and implement their recommendations and tools for increasing cyber security to those in the healthcare industry.
Why healthcare is unique in cyber security
So why are cybercriminals targeting healthcare? As an industry, healthcare is particularly vulnerable due to its reliance on legacy technologies, highly sensitive patient information, and crucial timelines for patient care. Even a short delay in medical services can gravely affect patient outcomes. Patient medical records are even more valuable than credit card information as they contain information such as social security numbers, demographic data, and addresses, which can be used to apply for credit cards and loans under the victim’s name.
It's safe to say that cyber security is a bipartisan concern with ample support from the government. Its slow implementation has been recognized as a concern, and both government and hospital staff widely agree that action is needed. Whether or not this legislation will advance has yet to be seen, but the support to enact top-down controls on cyber security in healthcare already exists. A solution is on the horizon, but how it will arrive and under what circumstances is yet to be determined.