Health industry witnesses this week called for enhanced inter-agency collaboration – to include critical infrastructure sector participation – in order to mitigate cybersecurity risks facing the healthcare sector.
During a Senate Homeland Security and Governmental Affairs Committee hearing on March 16, Chairman Gary Peters, D-Mich., explained how “there’s much more for Congress to do to ensure that critical networks in our health care and public health sector remain resilient against cyberattacks.”
In order to remain resilient, witnesses called for increased collaboration and inter-agency sharing of cybersecurity threat intelligence.
“We need help from the United States government to respond to these threats more effectively. Requirements for interagency sharing of cybersecurity threat intelligence is a productive step forward,” said Scott Dresen, the chief information security officer (CISO) of Corewell Health.
“We need more of this and need that enhanced collaboration, to include critical infrastructure sector participation, including the ability to automate threat intelligence data sharing with sector participants – enabling rapid, near real-time automatic ingestion of threat intelligence into the technologies participating members use to protect their respective organizations,” the CISO added.
Greg Garcia, the executive director of cybersecurity for the Healthcare and Public Health Sector Coordinating Council, agreed with Dresen, saying that there needs to be improved coordination at the agency and industry level – some of which “may require congressional action.”
Garcia commended the Cybersecurity and Infrastructure Security Agency (CISA) for directing more of its recent attention to the healthcare sector.
However, he said, “that level of attention needs to be triangulated among HHS [the Department of Health and Human Services] as the sector lead, CISA as the technical support, and industry as the owners and operators.”
Kate Pierce, the senior virtual information security officer at Fortified Health Security, also pointed to the fact that there’s a lot of confusion about which agency or best practices to turn to when it comes to cybersecurity – because there’s a lot.
“We need better coordination of government cyber efforts. While guidance and services from many agencies is appreciated, there’s often a knowledge gap regarding the unique healthcare challenges that must be considered,” Pierce said.
“Also, most rural hospitals are not effectively utilizing available resources. To be effective, government services must be streamlined, knowledgeable, and available,” she added.
A good first step, Garcia recommended, could be subsidies from the Federal government for small or rural hospitals to get access to information-sharing forums such as the Health Information Sharing and Analysis Center (Health-ISAC).