Senators Seek Remedies to Health Systems Cyber Threats After Health Data Breach

After sensitive health information was breached by DC Health Link last week, hundreds of congressional staffers and members of Congress were exposed. The Senate Committee on Homeland Security and Governmental Affairs now seeks ways to prevent similar cyberattacks in the future.

“Cyberattacks on hospitals and other health care providers can cause serious disruptions to their operations and prevent them from effectively providing critical, lifesaving care to their patients,” Committee Chairman Gary Peters (D.Mich.), made this observation during a March 16 hearing. “Breaches can also lead to the exposure of sensitive personal and medical information of patients and health care personnel.”

DC Health Link, Washington’s health insurance exchange, was notified by DC Health Link on March 6 that the Social-Security numbers, and other personal data, of over 56,000 participants had been made public.

According to some reports, at least 17 members of Congress were affected.

Peters added that the incident was just one of many recent attacks on the health system in the country. “These relentless cyberattacks show that foreign adversaries and cyber criminals will stop at nothing to exploit cybersecurity vulnerabilities, our critical infrastructure, and most essential systems.”

According to the panel of cybersecurity experts, it can be hard to prevent and address such threats.

The Health Sector’s Challenges

Fortified Health Security’s senior virtual information security officer, Kate Pierce, stated that cyberattacks in the health sector are most often directed at small rural hospitals, which lack the resources and staff necessary to address and prevent them.

“Most small facilities have no staff to be able to monitor,” She stressed that monitoring networks 24/7 is crucial to preventing attacks.

She also said that hackers can gain access to smaller networks through these small facilities if they are not protected.

“Most small hospitals are connected to larger tertiary care centers—we need a place to refer our sicker patients—so this is the path of least resistance for our cyber attackers,” Pierce explained. “When they’re trying to figure out how to get to those big systems, they’re coming in through our small hospitals.”

Greg Garcia, the executive Director of Cyber Security for Healthcare and Public Health Sector Coordinating Council stressed that new threats to cybersecurity are still possible due to the evolving technological landscape in health care.

“Consider that health care innovation is going direct to the consumer, to wearable home medical technology and telemedicine,” He stated. “This expands the so-called ‘attack surface’ for connected technology outside the clinical environment, which is harder for hospitals to … remotely secure.”

Other complicating matters include mergers and acquisitions processes, which often include merging complex networks, and health systems’ reliance on cloud software for the storage of large amounts of data—an increasingly common occurrence—which can present a risk for greater exposure.

Foreign state actors continue to carry out a variety of activities. “daily barrage” According to Scott Dresen (the senior vice president for information security and chief security officer of the U.S. healthcare system), there have been numerous attacks on Corewell Health.

The Path Forward

Dresen stated that one way the federal government could help protect health systems from such attacks is to become “more aggressive” Protect foreign actors from maligning and provide more immediate assistance “actionable intelligence” Organisations working in the health sector can be consulted about what threats they should be looking out for.

A minimum standard for cybersecurity best practices was another step that all panel members agreed upon.

“That threshold can and should continue to change through time … but having that minimum threshold would be incredibly helpful for organizations,” Stirling Martin, Epic Systems senior vice president and chief security and privacy officer, noted this.

Garcia emphasized that cybersecurity is something workers from all industries can benefit from.

“We need to do a culture change,” He stated.

“It’s been a cultural problem for as long as I’ve been in cybersecurity that everyone outside of the security team says, ‘Cybersecurity? That’s the security team’s job, not my job.’ …”It is everyone’s responsibility.”