The healthcare industry saw an unprecedented number of cybersecurity breaches in 2016, punctuated by the growing threat of hacking and ransomware attacks. But the CISO of a major pharmaceutical manufacturer believes that’s just the tip of the iceberg.
During a House Energy and Commerce Subcommittee on Oversight and Investigations hearing on Tuesday, Terry Rice, vice president of IT risk management and CISO at Merck, acknowledged that cybersecurity has emerged as a top concern for healthcare organizations. That concern was borne out of a steady stream of data breaches that compromised more than 100 million health records in the last several years. But the true number could be even larger, as cybersecurity incidents are “significantly underreported,” representing “a small fraction of the incidents that actually occur,” according to Rice’s written testimony (PDF).
“Unfortunately, I believe these incidents underrepresent the risks we are facing as an industry,” Rice told lawmakers
Increased data-sharing and rapid integration of software and technology have created a more vulnerable environment for healthcare organizations, prompting the need for greater industry collaboration to identify and combat threats. Last month, the FBI’s James Comey said public-private partnerships are critical to combating cybercriminals.
However, the industry’s primary vehicle for that collaboration has struggled to gain a foothold. Denise Anderson, president of the National Health Information Sharing and Analysis Center (NH-ISAC) told lawmakers that many healthcare organizations—particularly smaller providers—are unaware that NH-ISAC even exists. That creates a domino effect that leaves membership stagnant and limits lateral information sharing used to combat emerging security threats.
With approximately 200 members, the NH-ISAC pales in comparison to other industries, like finance, which boasts an ISAC membership of 6,000 thanks to encouragement from the Treasury Department. Michael McNeil, global product security and services officer at Royal Philips, said NH-ISAC needs a “ten-fold growth in membership” for hospitals, payers and device manufacturers to reap the benefits of information sharing about new and emerging threats.
In a statement (PDF) submitted to the subcommittee, the American Hospital Association (AHA) argued that hospitals and health systems "take their responsibility to secure systems seriously," pointing to past surveys that showed a majority of hospitals have taken steps to implement intrusion detection systems, encrypt data and conduct annual risk assessments.
But AHA also acknowledged that information sharing is still elusive.
"The increased information sharing is not yet a reality, and expedited and tailored cyberthreat information sharing from the federal government would benefit all health care and public health organizations," the statement read. "Providers most need actionable information that identifies specific steps they can take to secure against new threats. Large volumes of more generalized information can prove challenging to interpret, and even become a distraction."
Both Anderson and Rice also called on the government to appoint a senior cybersecurity liaison with experience in the healthcare industry to oversee guidance updates. McNeil, who serves on the HHS Cybersecurity Task Force, noted that the group expects to release its long-awaited recommendations within the next month.
The hearing echoed calls from several groups that have recently called for significant changes to the healthcare industry’s approach to cybersecurity. Last month, the Workgroup for Electronic Data Interchange called for a cultural shift to cybersecurity defense and the Institute for Critical Infrastructure Technology that urged healthcare organizations to use artificial intelligence to fight ransomware attacks.