U.S. hospitals operate with minimal to no cybersecurity programs and face a bevy of challenges from staffing to COVID pandemic-related strains. These concerns prompted healthcare leaders to press legislators for federal incentives and new mandates for base-level cybersecurity standards.
Kate Pierce, Fortified Health Security’s senior virtual information security officer, outlined the current challenges facing healthcare at the Homeland and Governmental Affairs Committee on Thursday.
But failure to implement best practice security isn’t necessarily rooted in a lack of lawmakers’ understanding.
Under current regulations, healthcare delivery organizations are required to comply with the Health Insurance Portability and Accountability Act. The trouble is the Security Rule has just 42 controls, compared to the NIST Cybersecurity Framework employed by most industries — except healthcare.
And despite the minimum standards, a September 2020 CynergisTek report showed that just 76% of healthcare providers comply with the rule. These security gaps have left the industry with a heightened threat landscape, further compounded by a reliance on legacy platforms and an ever-expanding device inventory.
Awareness of the issues is at an all time high, given the daily reports of hospital outages and massive data breaches; even congressional members have been impacted.
Further, healthcare organizations were required to perform risk assessments after the implementation of the HITECH Act in 2009, Pierce explained. “So everyone is now aware of where their risks are.” But “they’re choosing to accept those risks in lieu of mostly financial reasons where they can’t afford or can’t staff their personnel to