.st0{fill:#FFFFFF;}

Podcast

Cybersecurity Is Patient Safety – Ep 382 

 November 18, 2022

By  Donna Grindle

Share0
Tweet0
Share0

'cybersecurityThe healthcare industry is not immune to cyberattacks. In fact, it’s one of the most vulnerable industries. To protect patient safety and data security, hospitals and healthcare providers need to implement better cybersecurity measures. Today, we review a paper from the office of Senator Mark Warner (VA) that discusses policy options for the healthcare sector.

A 5 star review is all we ask from our listeners.
1x
Apple PodcastsGoogle PodcastPlayer EmbedShare Review Us on Apple PodcastsListen in a New WindowDownloadSoundCloudStitcherSubscribe on AndroidSubscribe via RSSSpotify
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

Cybersecurity Is Patient Safety – Ep 382

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

The Privacy and Security Boot Camp

3.5 day In Person Event

Mar 12, 13, 14 and 15, 2023

PriSecBootCamp.com

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

405(d) Tip of the Week

[04:47] Donna just returned from the all-hands meeting for the Health Sector Coordinating Council (HSCC) Cybersecurity Work Group (CWG), in which 405(d) is one of the task groups. There were lots of great discussions and plans to start rolling things out to the public.

There is so much about to happen!!!! Any day now we will have many things to cover, so stay tuned!

Cybersecurity Is Patient Safety

[07:36]

Cybersecurity is Patient Safety: POLICY OPTIONS IN THE HEALTH CARE SECTOR

November 2022 letter from Senator Mark Warner’s Office, Virginia

“Unfortunately, the health care sector is uniquely vulnerable to cyberattacks and the transition to better cybersecurity has been painfully slow and inadequate. The federal government and the health sector must find a balanced approach to meet the dire threats, as partners with shared responsibilities,” wrote Sen. Warner.

Divided in three parts, the white paper is organized as follows:

  1. Chapter one covers areas that the federal government needs to address to improve our national risk posture when it comes to cybersecurity in the health care sector. Specifically, it notes seven key challenges facing federal government agencies with jurisdiction over health care providers and cybersecurity, details the current state of play regarding cybersecurity threats, and outlines policy options for shoring up existing vulnerabilities.
  2. Chapter two covers ways that the federal government can help the private sector meet this threat through a combination of potential mandates and voluntary incentives to adopt best practices.
  3. Chapter three covers policies that could help health care providers respond to attacks in the event of a cybersecurity failure. Specifically, it notes ways institutions can recover following successful cyberattacks, and how to limit the resulting impact on patients and systems.

The point they hit right off the bat is that the health care sector is very much different from other sectors when it comes to cyber resilience needs. This snippet defines that pretty well:

The health care sector is vulnerable to cyberattacks for a number of reasons, including its reliance on legacy technology, a wide and highly varied attack surface (that only grows more complex from the ever-increasing number of connected devices), a high-pressure environment where even the slightest delay can have life-or-death consequences, funding constraints, and an outdated mode of thinking that views cybersecurity as a secondary or tertiary concern.

They continue further with this:

Although these cybersecurity vulnerabilities certainly leave health care organizations exposed to patient data theft, they often have far-reaching, and more serious, impacts beyond privacy concerns. Cyberattacks can be detrimental to patient safety, as they can lock physicians out of treatment tools, shut down hospital equipment used for care, and create backlogs that delay appointments and treatment. When it comes to cyberattacks affecting patient care, the question is no longer a matter of if or when, but how often and how catastrophic consequences.

This is not a problem you solve in the same manner as other sectors. Yes, those other critical sectors need to be secured but the problems they face do not include such a broad attack surface and frequently high-pressure environments. Yes, we in the health care sector are very special.

When it comes to cyberattacks affecting patient care, the question is no longer a matter of if or when, but how often and how catastrophic consequences.

When we mention HIPAA is about patient care that includes patient safety. Pointing out that we don’t just impact care when some device is attacked but also when any of these other examples occur.

In the details about how the sector is organized to deal with cybersecurity issues, our 405d group is not left out:

The HHS 405(d) Program, which started as a Congressional mandate under the Cybersecurity Act of 2015, brings together the health care industry and the federal government to raise awareness and develop best practices for providers that can be implemented by health care providers.
[19:50] The paper is out and asking for feedback on the policy questions it asks. There are a bunch of them but we will cover a few of them that we picked because we get to pick what we talk about. 😀

2.1 Establishing Minimum Cyber Hygiene Practices for Health Care Organizations

  1. How should Congress go about creating minimum cyber hygiene practices?
    1. What should be the incentives or penalties for compliance or noncompliance?
  2. Regarding including these are part of a facility’s Medicare Conditions of Participation – if this is not the preferred framework, why not?
    1. What makes cybersecurity—which we’ve learned has patient safety risks— different from other critical patient safety protections that are currently required?

Remember how we say HIPAA is the floor? If you are only doing the minimum you are in trouble.

[26:03] 2.2 Addressing Insecure Legacy Systems

  1. How should Congress help incentivize the alignment of the life cycles for medical equipment and the software that runs it?
  2. What sorts of requirements should medical devices have to meet in order to be eligible for reimbursement under a “cash for clunkers” style program?
  3. Should providers have a “right to repair” medical equipment by contracting with third-party providers?
  4. Should medical equipment manufacturers be required to update their products for a certain length of time?

Legacy devices are a problem everywhere, not just in healthcare. There needs to be a plan for replacing hardware and software down the road instead of being forced to when it’s no longer supported by the manufacturer or just dies one day. Too many times companies don’t have a plan and then it’s a mad scramble to figure out how to replace or upgrade equipment and software.

This is a big problem with medical devices. So many times we hear about how certain medical devices “have” to run on these legacy systems that are no longer supported. This is a huge problem that needs to be addressed and planned for.

[31:30] 2.5 Financial Implications for Increased Cybersecurity Requirements

Cybersecurity should be the “cost of doing business” – but given the Medicare program’s outsized role in setting the standards for health care payments outside the program, it’s necessary to determine how those literal costs of doing cybersecurity business are reflected in payment formulas the way paying the electricity or water bills are. Further, some settings, such as independent providers or those in rural settings, may need assistance in “startup” costs in technology and workforce talent.
  1. How should Medicare payment policies be changed to ensure cybersecurity expenses are incorporated into practice expenses and other formulas the same way other basic expenses are?
  2. For “startup” grants, what should the eligibility criteria be for a grant program that provides small, rural. and independent providers with funding for cybersecurity? Who should administer such a grant program? What should be allowable uses of such funds?
[36:48] Chapter 3 focuses specifically on the ability to recover after an attack in this sector.

3.5 Cyber Insurance

  1. Should Congress create a reinsurance program or otherwise regulate cyber insurance?
  2. What can Congress do to facilitate information sharing between the intelligence community and insurers?
  3. What’s the role of cyber insurance in insuring care provided via medical equipment that has been recalled or is currently unpatched?

Those are some tricky questions regarding cyber insurance, but definitely important ones. Taking the stance that you don’t have to worry about properly securing your network because your cyber insurance coverage will cover it, is NOT a good plan.

In chapter 3 alone there were lots of great questions for discussions that we could cover but there were just too many rabbit holes we could have gone down.

Go to top

There’s a lot of discussion in this letter and a lot of great questions in addition to the ones we covered in the podcast. I strongly encourage anybody that’s remotely interested in this to read it. Even if you don’t want to give your opinions, use these to ask the questions to leadership or to your peers or for discussions to look at a bigger picture.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Listener Survey

Special thanks to our sponsors Security First IT and Kardon.

Share 0
Tweet 0
Share 0

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: