Lawmaker Says New Regulations Needed to Fix ‘Lax’ Cyber Postures of Major Entities
The healthcare sector needs tough new federal regulations to bolster cybersecurity, said Sen. Ron Wyden, D-Ore., in a letter this week to HHS. (Image: Getty Images)
Marianne Kolbasuk McGee (HealthInfoSec) • June 6, 2024
The Senate Finance Committee chair is urging the U.S. Department of Health and Human Services to get tougher on healthcare sector cybersecurity requirements. He says HHS’ “failure to regulate the cybersecurity practices of major healthcare providers” has contributed to the “major epidemic” of attacks such as the highly disruptive Change Healthcare ransomware hack.
Sen. Ron Wyden, D-Ore., in a letter Wednesday called on HHS Secretary Xavier Becerra to take “immediate, enforceable steps” to require large healthcare companies to improve their cybersecurity practices.
Health-ISAC contrubutions to the article:
What’s Feasible?
Some industry experts agree that the healthcare sector needs to fortify its cybersecurity, but they say new regulations are not necessarily the answer.
“In general, mandating cybersecurity minimums via regulation won’t work,” said Errol Weiss, chief security officer at the Health Information Sharing and Analysis Center, Health-ISAC.
“The technology moves too quickly for regulation to keep up with what would be considered appropriate minimum security standards. Worse yet, the threat landscape evolves faster than the technology and would be impossible to keep up with in regulation.”
Even the government is not immune to these sorts of attacks, as seen by recent incidents at the State Department and CISA, said Denise Anderson, president of Health-ISAC. “Cybersecurity is a very complex issue and it is easy to say that having certain protocols in place will stop an attack. While certain baseline practices certainly help, they are not a panacea,” she said.
The reality is that the threats will continue to evolve, and cyber defenses will at some point no longer be effective, she said. “Threat actors have found ways to defeat multifactor authentication. Where there is money to be made, threat actors will find a way.”
The expectation to rebuild IT infrastructure from scratch within 48 to 72 hours after an attack is unfeasible, Weiss said. “Today’s modern hospitals and health systems are large, complicated and dependent on many partners and suppliers,” he said.
“It’s taken Change Healthcare weeks, if not longer, to rebuild systems and restore services following their incident in February. A 48- to 72-hour rebuild requirement would be enormously expensive, if even possible. And who is going to pay for that? Hospitals and providers are already struggling to survive financially.”
Wyden’s suggestion that more cybersecurity assistance would help the sector is closer to reality for many entities. “We need more investment in cybersecurity – not only the technology to adequately protect hospitals, but the experienced people to run it,” Weiss said.
“For large organizations who have more resources to apply to cybersecurity, the problem becomes more about ensuring compliance and continuous testing to secure systems from an attack,” he said.
Putting greater emphasis on compliance with new regulations is not the answer because it will detract from actual cybersecurity efforts, Anderson said. “Rather, organizations should be incentivized with tax breaks and other means to help with the cost of putting measures in place.”