Healthcare under threat: Collaborative and proactive cybersecurity in uncertain times

As federal support for healthcare cybersecurity faces potential cutbacks and restructuring, the onus falls on healthcare providers to collaboratively fortify their defenses and proactively address the escalating cyber threat.

The ongoing shake-up of federal agencies and budgets has spurred a host of questions about the future of funding, staff, and previous projects. This week, the Department of Health and Human Services (HHS) has been asked to cut one-third of its discretionary budget, or $40B, following staffing cuts of around 20,000 employees.

While these changes are far from final, the situation calls into question previous HHS initiatives to amend the HIPAA security rule, OCR enforcement, and long-awaited baseline cyber security standards that would help healthcare providers adopt security practices leveraged by most industries.

As well, critical support functions provided by other agencies of the federal government, such as threat analysis and overall support of the critical infrastructure sectors, are currently in question. All the while, the cyber threat environment has become increasingly complex.

Six months or more ago, it would have been hard to imagine the level of uncertainty healthcare providers would face. This is certainly true as it pertains to cybersecurity.

Without federal involvement, proactive cybersecurity is up to the healthcare sector

Industry leaders are aware that reactive cybersecurity is inadequate for the state of current threats. Long-standing challenges — tight budgets, limited resources, and staffing gaps — hinder the adoption of many large-scale projects. Many healthcare providers struggling to meet HIPAA requirements (let alone NIST CSF or CPG standards) are unable to staff or fund the projects needed to make real improvements.

Regardless of myriad challenges, the healthcare sector simply must keep moving forward on cybersecurity. While awareness around cyber risk has improved, much more needs to be done to recognize and embrace collaborative initiatives and the existing resources. By adopting a collaborative approach in uncertain times, healthcare organizations can continue to move the needle on cyber resilience across the industry.

Key actions to boost collaborative and proactive cybersecurity include:

1. Collaborate at the enterprise-level

There are several low- or no-cost approaches to enact true enterprise collaboration:

• Include cyber leaders in pivotal technology and digital innovation discussions
• Break down siloes between IT, cyber, and biotechnology
• Prioritize vulnerability management/remediation
• Review and enhance third-party, supply chain, and business associate contracts 

2. Leverage the increased awareness of your executive team and board

Several forces are helping increase cyber awareness at the corporate level. The financial regulatory environment (e.g. SEC requirements) has made the executive suite and Boards of Directors not only aware of, but responsible for, cybersecurity. The Change Healthcare breach, which affected a large percentage of all healthcare providers, has heightened awareness and put a spotlight on organizational resilience. You can leverage this awareness to work collaboratively to enhance enterprise cybersecurity.

3. Actively participate in industry cyber initiatives and leverage their resources

• Join H-ISAC as a member to receive sector threat data
• Participate in the HSCC and its PSWG – learn about their industries initiatives and leverage their work, such as the Health Industry Cybersecurity Practices (HICPs).
• Don’t’ miss already existing federal resources
  • NIST CSF and SP-800 Series Guidance
  • NIST Cyber Security Resources for HIPAA-regulated Entities
  • HPH Cybersecurity Performance Goals
  • CISA’s Free Vulnerability Scanning Tool
  • CISA/HHS Collaborative Healthcare Cyber Toolkit
  • HHS Health Sector Cybersecurity Collaboration Center (HC3)
  • Valuable FBI Resources 
• Participate in CHIME and participate in the cybersecurity community – CIOs, CISOs and other cyber team members can collaborate with their peers and learn how others are meeting cyber challenges.

Lisa Gallagher is National Security Advisor at CHIME.