Senators Seek Remedies to Health Systems Cyber Threats After Data Breach

After sensitive health information was breached by DC Health Link last week, hundreds of congressional staffers and members of Congress were exposed. The Senate Committee on Homeland Security and Governmental Affairs now seeks ways to prevent similar cyberattacks in the future.

“Cyberattacks on hospitals and other health care providers can cause serious disruptions to their operations and prevent them from effectively providing critical, lifesaving care to their patients,” The matter was brought up by Gary Peters, Chairman of the Committee (D-Mich.), during a March 16 hearing. “Breaches can also lead to the exposure of sensitive personal and medical information of patients and health care personnel.”

DC Health Link, Washington’s health insurance exchange, was notified by DC Health Link on March 6 that the Social-Security numbers, and other personal data, of over 56,000 participants had been made public.

According to some reports, at least 17 members of Congress were affected.

Peters spoke out about the attack and other recent attacks against the country’s health systems. “These relentless cyberattacks show that foreign adversaries and cyber criminals will stop at nothing to exploit cybersecurity vulnerabilities, our critical infrastructure, and most essential systems.”

However, it is possible to address and prevent such threats according to the panel made up of cybersecurity experts.

The Health Sector is facing challenges

Fortified Health Security’s senior virtual information security officer, Kate Pierce, stated that cyberattacks in the health sector are most often directed at small rural hospitals, which lack the resources and staff necessary to address and prevent them.

“Most small facilities have no staff to be able to monitor,” She stressed that monitoring networks 24/7 is crucial to preventing attacks.

These small facilities can, she said, also give hackers access to larger networks if they’re not protected.

“Most small hospitals are connected to larger tertiary care centers—we need a place to refer our sicker patients—so this is the path of least resistance for our cyber attackers,” Pierce explained. “When they’re trying to figure out how to get to those big systems, they’re coming in through our small hospitals.”

Greg Garcia, the executive director of Cyber Security for the Healthcare and Public Health Sector Coordinating Council, stressed that attacks can still be prevented because of the constantly changing technological landscape in healthcare.

“Consider that health care innovation is going direct to the consumer, to wearable home medical technology and telemedicine,” He said. “This expands the so-called ‘attack surface’ for connected technology outside the clinical environment, which is harder for hospitals to … remotely secure.”

Other complicating matters include mergers and acquisitions processes, which often include merging complex networks, and health systems’ reliance on cloud software for the storage of large amounts of data—an increasingly common occurrence—which can present a risk for greater exposure.

Foreign state actors continue to carry out a variety of activities. “daily barrage” Scott Dresen is the senior vice president of information security at Corewell Health and chief information security officer.

The Way Forward

Dresen stated that one way the federal government could help protect health systems from such attacks is to become “more aggressive” Protect foreign actors from maligning and provide more immediate assistance “actionable intelligence” Organizations in the healthcare sector should be aware of the types of threats they must be on the lookout for.

The panel also agreed on the need to establish a minimum standard for cybersecurity best practice.

“That threshold can and should continue to change through time … but having that minimum threshold would be incredibly helpful for organizations,” Stirling Martin is Epic Systems’ senior vice president and chief privacy & security officer.

Garcia emphasized that workers from all industries could benefit from a change of perspective regarding cybersecurity.

“We need to do a culture change,” He said.

“It’s been a cultural problem for as long as I’ve been in cybersecurity that everyone outside of the security team says, ‘Cybersecurity? That’s the security team’s job, not my job.’ …”It’s everyone’s job.”