Posted 04 April 2017
By Michael Mezher
The House Energy & Commerce Committee on Tuesday held a hearing looking into ways to improve cybersecurity across the healthcare sector.
In recent years, cybersecurity has been a growing concern in healthcare, with high profile cyber-attacks and vulnerabilities causing disruptions for insurers, hospitals and medical device makers.
The stakes for patients are high too as patient data could be lost or tampered with, hospital services interrupted or patients harmed through attacks targeting specific devices (though there have been no reported cases of patient harm from cybersecurity attacks).
In healthcare, as in other sectors such as finance and energy, the approach to addressing cybersecurity has focused on building public-private partnerships involving agency and industry stakeholders to coordinate and direct cybersecurity efforts with data sharing across the sector through information sharing and analysis centers (ISACs).
However, Subcommittee on Oversight and Investigations chairman Tim Murphy (R-PA) said the healthcare sector has "long struggled to coalesce around the public-private partnership model, especially with respect to cybersecurity."
Improving the public-private partnership around healthcare cybersecurity, Murphy said, is a "daunting" task, owing to the array of different industries, interests and government agencies involved in delivering and regulating healthcare.
"To start, healthcare is an incredibly diverse and complex sector with a wide range of industries and institutions of various sizes, technological sophistication and resources. It is also a sector where cybersecurity often becomes conflated with privacy or compliance, complicating the discussion," he continued.
To address some of these issues, Denise Anderson, president of the National Health Information Sharing and Analysis Center (NH-ISAC) called on Congress to help facilitate participation in ISACs.
Congress, Anderson said, could help by providing incentives, such as tax breaks, to encourage companies to participate in ISACs.
According to Terry Rice, vice president of IT risk management and chief information security officer at Merck, who also serves on the NH-ISAC board of directors, NH-ISAC is being held back by low participation rates.
"We have 200 members, but the [Financial Services]-ISAC has 6,000 members. We need to reach out more to get all of those entities sharing information," he said.
Anderson also said that companies may be hesitant to share information within an ISAC if they fear the information will not remain confidential to its members, referring to a recently quashed effort to subpoena communications between the automotive industry ISAC and one of its members, Fiat Chrysler Automobiles.
Additionally, Anderson called on Congress to clear up confusion over ISACs and information sharing and analysis organizations (ISAOs), which are referred to in a 2015 executive order and guidance from the US Food and Drug Administration (FDA).
While FDA has clarified that it considers NH-ISAC to be an ISAO, Anderson said the reference to ISAOs has created confusion amongst industry.
Both Rice and Anderson also called on the Department of Health and Human Services (HHS) to appoint a cybersecurity liaison to serve as a point of contact for industry.
"Today, there are multiple offices within the department that have some responsibility for cybersecurity outreach, but none of them have it as their primary task," Rice said.
While the hearing focused on questions surrounding healthcare cybersecurity as a whole, committee majority staff pointed to FDA's efforts on cybersecurity over the last few years as a success story.
"[FDA] has taken a forward-leaning, collaborative approach to medical device cybersecurity," committee majority staff wrote in the hearing background memo.
Michael McNeil, global product security and services officer at Philips, who spoke on behalf of the Advanced Medical Technology Association (AdvaMed) also credited FDA for its efforts to bring stakeholders together to discuss device cybersecurity and for issuing guidance on the topic.