Health Sector Wants Fed Assist on Cyber

The month of June has seen an increase in data breaches at hospitals, health systems, and health plans. The U.S. Department of Health and Human Services (HHS) has published new guidance to help combat the breaches, but healthcare organizations are asking for more help.

Several high-profile healthcare entities have suffered data breaches in the last month. On June 3, Kaiser Permanente informed members of its Kaiser Foundation Health Plan of Washington of an unauthorized access incident that occurred on April 5, 2022.

At Atrium Health, officials notified users that an unauthorized third party gained access to a home health employee’s business email and messaging account via phishing exploits. In addition, earlier this month UNC Lenoir Health Care disclosed an incident involving a breach of patient information by MCG Health, one of its third-party business partners.

The government’s role in helping healthcare entities combat cyberthreats lies with two agencies – HHS and the Cybersecurity and Infrastructure Security Agency (CISA). Both agencies provide information about attacks and how to build infrastructure to fend them off. CISA also has incident response teams to help combat cyberattacks.

To help healthcare institutions combat cyber threats, the HHS Health Sector Cybersecurity Coordination Center published the Strengthening Cyber Posture in the Health Sector guidance highlighting several steps that healthcare institutions should take including:

  • Conduct regular security posture assessments;
  • Consistently monitor networks and software for vulnerabilities;
  • Define which department owns what risks and assign managers to specific risks;
  • Regularly analyze gaps in your security controls;
  • Define a few key security metrics; and
  • Create an incident response plan and a disaster recovery plan

Some hospitals and other healthcare entities want more help, and said they want the Federal government to provide more security for this critical national infrastructure because the onus of navigating cyber threats and data breaches lies with the individual healthcare institution.

“It blows my mind that ultimately, it’s on the individual hospital systems to attempt to – essentially in isolation – figure it out … If a nation state has bombed bridges that connect over the Mississippi River and connect state A and B, would we be looking at it in the same way? And yet the same risk to life happens when they shut down a health system,” said Lee Milligan, chief information officer at Oregon-based Asante Health System, during a Politico interview.