News Feature | April 11, 2017

House Subcommittee Urges Healthcare Industry To Partner With Government On Cybersecurity

By Suzanne Hodsden

The Subcommittee on Oversight and Investigations, part of the U.S. House of Representatives Committee of Energy and Commerce (CEC), held a hearing to discuss strengthening cybersecurity in the healthcare sector by facilitating public-private relationships that are used to secure other industries, such as financial and automotive.  Testimony from both government and industry representatives agreed that there should be greater efforts to increase participation in information sharing between public and private interests, and applauded the FDA’s recent efforts address the issue.

Advances in connected technology and the exponential rate of its adoption worldwide has brought cybersecurity to the forefront of security concerns. In a memo written by the majority staff of the House CEC, authors wrote that there is “no single solution to better cybersecurity; it depends on multiple improvements, new approaches, and fresh thinking, as well as a commitment to strengthening existing institutions.”

Public-private relationships that foster information sharing to build strong defenses against cybersecurity threats already are in place in other sectors, but growth and participation has been sluggish in the healthcare industry. Terry Rice, chief information security officer at Merck, testified at the hearing that the Financial Services  Information Sharing and Analysis Center (ISAC) currently has 6,000 participating members. In comparison, the National Health ISAC (NH-ISAC) only has 200 members.

According to witnesses, information sharing and collaborative analysis allow serious issues to be handled quickly and collaboratively to minimize confusion and misunderstanding, but the unique challenges of the healthcare sector — including privacy concerns and varying levels of technological advancement — have  caused many industry stakeholders and providers to hesitate.

“To start, healthcare is an incredibly diverse and complex sector with a wide range of industries and institutions of various sizes, technological sophistication and resources. It is also a sector where cybersecurity often becomes conflated with privacy or compliance, complicating the discussion,” said Rep. Tim Murphy (R-Penn), during the hearing.

According to Rice, advancement and adoption of connected medical technology and electronic records are outpacing efforts to secure them, and though there have not yet been any life-threatening incidents reported, security specialists believe it is only a matter of time. A recent report from Berg Insight estimates that there are currently 7 million patients using connected medical devices.

“Electronic evidence gathered through normal security monitoring suggests there are a lot more breaches and incidents than are currently reported,” said Rice. “Neither the private sector nor the government can solve this problem alone; we must work collaboratively and transparently to reduce the risk.”

President of the NH-ISAC Denise Anderson suggested that the government appoint a liaison that can facilitate participation between the public and private sectors at a single point of contact. She also noted that tax incentives or breaks may be necessary to facilitate participation, though hesitation by many potential participants hinged on privacy concerns and that the government should make an effort to assuage these fears.

The FDA recently finalized a cybersecurity guidance on postmarket devices to outline the agency’s suggested approach to security management once a device was on the U.S. market.  Authors of the subcommittee memo credited the agency for getting a head start on this serious issue and noted their approach should be used as a success model for future security endeavors.