Cybersecurity attacks on US healthcare facilities are quickly developing. As a result, the United States Committee on Health, Education, Labor, and Pensions, also known as HELP, has organized a full hearing to discuss this issue. The committee aims to determine the scale of the healthcare cybersecurity issues. They also want to analyze their underlying cause, as well as, propose solutions.
At the moment, 3 facts are becoming increasingly clear. These also cannot be considered momentary problems:
- Healthcare cyberattacks are rising dramatically
- Labor shortages in the cybersecurity sector are leaving openings
- Attacks are happening through known vulnerabilities
Increased remote operations justify the first two facts, especially for non-medical staff. We can also consider the staff shortage forced by the economic decline as another cause of the crisis. However, most of the attacks that happened in Q1 2022 are through well-known vulnerabilities. This shows that healthcare cybersecurity is not an arms race between hackers and security experts. Unfortunately, it is a lost battle.
One of the experts providing testimony, Joshua Corman, the founder of a cybersecurity-focused policy group “I am The Cavalry”, stated that the Covid pandemic in the last three years has stressed the healthcare system to a high degree. In turn, it pushed many of the systems to their breaking point, including cybersecurity.
550 Confirmed Data Breaches in 2021
During his testimony, Corman presented information that in 2021, more than 550 specific data breaches happened in various healthcare data centers. Combined, these breaches have affected more than 40 million US healthcare customers. Even worse, the majority of those customers are in vulnerable demographic categories.
The biggest individual breach was on January 29th, when the Florida Healthy Kids Corporation was hacked. The attack leaked more than 3.5 million individual files, mostly those who have applied for coverage with the corporation. Those files included both existing medical information and banking information. These two information categories are also major issues for HKC users.
Corman explained this as the “perfect storm brought on by the pandemic”. That’s because so many patients requested care, and the healthcare system resources were under duress. Thus, healthcare cybersecurity was weak against those breaches.
Contrary to that statement, Denise Anderson, the president and CEO of H-ISAC, presented that the issue has been there even before the pandemic. She believes the pandemic only made the problem more apparent.
In her words, “the large interconnectivity and interdependence of the system made the healthcare system so prone to cyber-attacks.” She also pointed out that technological and legislative stagnation led to most places having outdated and inadequate data sharing protocols.
Part of a Wider Issue
Although healthcare cybersecurity has been one of the biggest rising targets, it doesn’t stand out that much. Cyberattacks and cybersecurity risk, in general, have increased over the last two years in all fields. As a result, both public and private companies are reevaluating their cybersecurity strategies.
Still, we can note 3 overarching issues that affect healthcare, especially under strained budgets:
- Low competency
- Reduced talent attractiveness
- Obsolete legislation
The HELP committee wishes for better legislation. They believe this would force healthcare operators to increase competency. HELP also hopes legislation would attract the talent needed to improve the systems and prevent future leaks.
Cybersecurity Issues with Public Companies
During her testimony, Anderson stated that a decade ago, no one mentioned cybersecurity and cyberattacks in the healthcare sector. Today, it is on everyone’s lips.
Her testimony enforces what cybersecurity experts have known for a long time. Insufficient awareness and lack of internal oversight create wide gaps in cybersecurity for public companies.
Simply speaking, public companies often ignore threats that don’t seem imminent. Instead, they focus on those that are more pressing. Regretfully, in the case of healthcare cybersecurity, the issue is much more difficult to solve.
The Cybersecurity Labor Shortage
Cybersecurity experts are hard to source and train. However, these experts are getting increasingly necessary in multiple branches of industry. While major tech giants can make new business models to draw in cybersecurity talent, healthcare facilities usually don’t have that big of a reach.
Additionally, employment in healthcare has become less desirable during the pandemic. As a matter of fact, healthcare workers have hectic working schedules, and they’re more at risk of infection. While these challenges don’t necessarily apply to cybersecurity analysts in healthcare, it is something that holds sway in the eyes of the public.
Reduction in competitive payment is also an issue. Few healthcare centers have the funds to offer the six-figure salaries necessary for top talent.
Healthcare Attacks Are Gaining Traction
High-profile industries, like healthcare, are a large target. The global healthcare industry in 2021 has reached $8.45 trillion, with roughly a tenth of that being spent only in the US.
Exacerbating this issue is the fact that healthcare systems in the US are usually quite similar to each other. They’re also very rarely updated. This obsolescence can be technical and educational, as new employee protocols are seldom enforced.
Because of this, hackers and scammers attack such databases in the same way, and even multiple times. Attackers also make these attacks public online, and they show other hackers how to manage one themselves. As a result, this creates a snowballing effect.
Unless things improve, the attacks on US healthcare data centers are unlikely to cease soon. It is important to prevent these attacks and catch the perpetrators. Otherwise, healthcare cybersecurity will stay weak.
New Bill to Increase Healthcare Cybersecurity Standards
Both Corman and Anderson welcomed the new Software bill of materials (SBOMs) that aims to improve cybersecurity guidance by the FDS. However, both have expressed their unhappiness that this set of guidance will not be mandatory for companies.
Both of them refuse the argument that enforcement would press more costs on the already stumbling healthcare companies. In fact, enforcing seat belts in cars or food safety standards also creates additional costs. However, enforcing these standards is worthwhile, and so will the enforcement of SBOMs guidelines.
They have also proposed a government liaison to encourage sharing of cybersecurity experiences across the healthcare industry to combat the current expert shortage.