Industry Voices—With the healthcare sector under constant cyberattacks, are tighter regulations the answer?

U.S. critical infrastructure organizations are in the cyberattackers’ crosshairs these days, and the healthcare sector is no exception. Ransomware attacks have crippled hospitals and healthcare systems, often putting patients’ health and safety at risk. While many healthcare leaders are acutely aware of the ongoing threat, only some are making greater investments into their cyber defenses. The rest continue to tread water.

High-profile cases such as the SolarWinds and Colonial Pipeline attacks have provided a wake-up call, so the U.S. government has stepped up its role in regulating cybersecurity, especially for critical infrastructure. Historically, many of the government’s initiatives around cybersecurity had little to no teeth, leaving it up to the private sector to figure things out. Now, we see a shift in that approach. What does this mean for healthcare?

Lessons from the Colonial Pipeline attack

When the lack of basic cybersecurity controls enabled hackers to penetrate the largest U.S. pipeline, the implications were immense, and not just in financial terms for the company. The shutdown of Colonial Pipeline’s operations resulted in chaos across the entire East Coast. Panicked consumers went into a gasoline buying and hoarding frenzy, four governors declared states of emergency, and gas prices soared due to supply shortages.

In healthcare, an incident of this magnitude can have much more profound consequences. We have already seen how smaller ransomware attacks have compromised patient safety. A large-scale attack would be truly devastating. Healthcare cybersecurity weakness is an issue that impacts our entire society.

Yet exposure in the healthcare sector remains high, and the type of basic cybersecurity failures we saw at Colonial Pipeline are common in hospitals and healthcare systems. Healthcare CISOs and boards can no longer afford to sit on the sidelines and must learn from lessons gleaned from other critical infrastructure incidents.

The carrot versus stick approach

In response to the elevated threats to areas such as critical services and the supply chain, the U.S. Congress and the Biden Administration have increased their focus on cybersecurity. For example, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 that President Biden signed in March will require private entities to report certain cybersecurity incidents and ransomware payments to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). And last November, a $2 trillion infrastructure bill earmarked $2 billion for cybersecurity to assist both the private and the public sectors in responding to cyberattacks.

The flurry of government activity around cybersecurity raises the question of whether tighter regulations may be on the horizon. A program that mandates improvements and has more bite—along with funding to execute it—could make a significant impact. This would require a fine balancing act, however, as getting the entire country to buy into legislation is not a simple task. But we can draw from successful examples where the government took a “carrot” rather than “stick” approach.

In healthcare, we need to look only as far as the implementation of electronic healthcare records (EHR). The drive to digitize patient records was significant, and the sector made a giant leap in less than seven years. This program would not have been successful without government incentives to implement EHR—and the clear requirements for receiving those funds.

Are tighter regulations or other government programs the prescription for better cybersecurity in critical infrastructure in general, and healthcare in particular? Existing playbooks from other sectors and precedents such as EHR suggest so. And given the high stakes of attacks on healthcare organizations and the risk to human life, we can certainly foresee legislators—and regulators—getting behind the idea.

Boosting cybersecurity in the meantime

Healthcare cybersecurity leaders should not wait until cybersecurity issues are solved at the government level. CISOs have a breadth of resources at their fingertips to boost security posture now. One of them is the National Institute of Standards and Technology (NIST), which has a phenomenal cybersecurity framework that every healthcare organization should adopt as a best practice. There is no shortage of other material that could help CISOs implement powerful programs, including a playbook being developed by the Healthcare & Public Sector Coordinating Council, a public-private partnership.

One major step that healthcare providers should not overlook is user awareness, education and training. People are the most critical component of an organization’s cybersecurity posture. For example, training people to look out for and report unusual behavior helps IT and cybersecurity teams to identify threats faster and better cope with attacks.

In the end, whether the answer to the overarching healthcare cybersecurity challenge is private or governmental, it requires a serious investment. Healthcare organizations will be much more successful if they make this investment proactively—not after a cyber event overwhelms them.

Ryan Witt is a healthcare cybersecurity leader at the cybersecurity company Proofpoint. He has 15+ years of experience advising healthcare institutions on the value of robust data protection to enable success in the new health economy. He is a recognized healthcare cybersecurity speaker, moderator, panelist and blogger who works extensively with HIMSS, CHIME, AEHIS, WEDI, and IDC.