The American Hospital Association (AHA) responded to Senator Mark R. Warner’s policy options paper by stating that while hospitals and healthcare systems have taken the necessary precautions to safeguard patients and protect their networks from cyberattacks, they still require future assistance through cybersecurity policies to combat cybersecurity risks.
In the paper, experts analyzed the issues that federal agencies encounter concerning jurisdiction over policies that could support cyberattack responses, healthcare cybersecurity and approaches the government could possibly take to support the private health sector combat threats to security through mandates and incentives. Although the AHA stated its agreement with some areas of the letter, it also made suggestions to improve policies in order to provide hospitals and health systems adequate support. AHA first suggested an improvement in federal cybersecurity leadership in order to bolster cyber posture in the healthcare sector. AHA also supports the Healthcare Cybersecurity Act, which will provide cybersecurity training and promote analysis of healthcare cybersecurity risk with an emphasis on rural hospitals, medical device weaknesses, and a cybersecurity worker shortage. In addition, the letter also calls on the federal government to provide more assistance to healthcare institutions facing cyberattacks or protecting themselves against them, as the private sector frequently bears the brunt of these kinds of attacks. In order to reduce risk, AHA also suggested tackling risks to intellectual property (IP) through the current Department of Justice Task Force on Intellectual Property. Foreign threats to IP and its impact on medical research have been a significant concern for the healthcare sector. Smaller hospitals lack the capacity to adequately address IP risks, despite the fact that government authorities have published various guidelines on IP protection.
Furthermore, AHA is in favor of setting standards for healthcare cyber hygiene practices in order to guarantee that patient health information is well-protected. The Medicare Conditions of Participation (COPs) and Conditions of Coverage (COCs), for example, are mentioned in the letter as existing procedures to protect patient information. Nevertheless, these requirements cannot keep track of minimal cybersecurity practices. In order to effectively manage medical devices that are regularly targeted, the hospital group also supports a software bill of materials that would identify the information technology solutions in a device. The letter claimed that as network-connected medical equipment and technology grow more common in the healthcare sector, they could serve as entry points for cybercriminals. Threat actors often take advantage of healthcare companies’ vulnerabilities in medical devices. AHA contends that there should be greater incentives for manufacturers to patch security flaws in medical equipment.
Additionally, the letter advocates an incentive-based strategy to raise cybersecurity standards rather than fining hospitals for breaches. The persistent cyberattacks from abroad that target the healthcare industry with data theft and ransomware attacks have caused a substantial increase in the price of cyber insurance and a noticeably lower level of coverage. AHA argues that as a result, the government should develop a reinsurance program to help support victims of high-impact cyberattacks.