Health Care Needs a Public-Private Solution to Cyberthreats

COMMENTARY

The U.S. health care system is under attack. Cybersecurity breaches by hackers are escalating exponentially, with cybercriminals exploiting system vulnerabilities to perpetrate costly ransomware attacks and damaging data breaches. Ultimately, health care providers and technology vendors must find new ways to collaborate to lock down data in this evolving threat landscape.

Recent high-profile cybersecurity incidents underscore health care’s new reality: Hospitals need trusted industry partners to help protect patient privacy, safety and outcomes. Cybersecurity flaws in connected technology can lead to severe consequences — and even gaps in care — despite hospitals’ making every reasonable effort to vet their vendors and maintain their organizations’ cybersecurity practices. 

Just one attack on a national claims processor created both a massive chokepoint and a glaring target for bad actors to harm providers’ operations, even when the breach is outside the provider’s control. In short, this isn’t a problem that can be fixed by simply telling hospitals to improve cyber practices and vet their vendors. 

The connected technology footprint of hospitals is growing. These new vulnerabilities could be catastrophic for hospitals and escalate the risk of patient harm. Not only are patients’ lives potentially at risk, but doctors and hospitals could also face greater liability for medical decisions or care delays caused by falsified patient vitals. For example, if a surgeon were to operate on a patient based on falsified data from hackers displayed on a patient monitor, the hospital may face malpractice liabilities. 

To successfully manage these risks, hospitals need their health care technology partners to step up. For example, large medical device manufacturers and electronic health record vendors can help hospitals better identify and mitigate the cybersecurity risks that come with connecting their products to the internet. Too often, hospitals end up bearing both the legal and financial risks and the cybersecurity burden for every connected device and information system used in their facilities. 

Simply put, the victim cannot be the culprit. The industry needs real incentives to bring large third parties to the table to support providers — or else hospitals will continue to face the impossible task of defending both their own systems and those of every connected device. 

Premier has long advocated for policy approaches that create an equitable mechanism for shared accountability among large IT vendors, device manufacturers and health care delivery organizations when cybersecurity breaches occur. Under this model, any penalties assigned for the incident would be based on a root cause analysis, creating mutual responsibility for cybersecurity practices and strengthening the entire health care sector. 

Health care also needs a new approach for its cybersecurity workforce to maintain operations — as tight margins and specialized needs stretch resources thin, and hospitals cannot financially compete with large technology companies for top cyber talent.

In an environment where the demand for skilled cyber professionals increasingly outpaces workforce growth and skillset, the ever-growing talent gap threatens America’s critical health care infrastructure. The Office of the National Cyber Director has made growing our cyber workforce a priority with the Service for America program, but additional action is needed to ensure that critical infrastructure can meet health care’s workforce needs. 

Health care also needs government partners to reset the playing field and recognize hospital cybersecurity as the national security threat that it is. The federal government must tackle this threat head on and create a training pathway that places skilled workers directly in hospitals and other critical infrastructure operators. 

Across our military, national security operations and disaster relief agencies, such programs already exist to ensure America has trained professionals deployed to keep us safe. It is time to replicate these successes to put cybersecurity professionals to work for hospitals, on the frontlines of cyber warfare in health care. 

Additionally, we need to coordinate the resources and expertise of the federal government to help protect the health care sector and patients from the rising tide of foreign threats. Although the Department of Health and Human Services and the Cybersecurity and Infrastructure Security Agency regularly publish threat alerts and flag vulnerabilities in the health care sector, these alerts do not always translate into action. 

In the face of increased pressure from foreign, state-backed bad actors and transnational criminal organizations, the health care sector does not always have the capacity to respond to these large-scale threats. 

The sector needs a public-private partnership that draws on the expertise of Defense, Homeland Security and intelligence experts across the federal government. In recent years, programs like CISA’s Joint Cyber Defense Collaborative and the National Security Agency’s Enduring Security Framework have sought to operationalize public-private cyber partnerships, but with mixed results. 

Programs sought to overcome the hesitancy to share operational threat data and intelligence between the public and private sectors to combat nation-state threats. Now is the time to take this model a step further and combine government and industry resources for cyber incident response, not just threat sharing. 

To defend patient safety from increasingly sophisticated actors, hospitals should partner with national security, law enforcement and defense agencies to rapidly act on identified threats.

This model would require an entirely new approach to cybersecurity, forgoing the adversarial relationship between industry and regulators in favor of a joint effort to develop a more secure and sustainable health care system.

The daunting landscape facing hospitals is only becoming more dangerous as the number of internet-connected medical devices is expected to skyrocket from 10 billion to 50 billion over the next decade. The number of threats are only going to increase as well — and by one measure, 92% of health care organizations have already experienced one cyberattack. Hospitals need the appropriate support from industry partners and the federal government to find innovative solutions to the cybersecurity challenges facing the industry.

Together, we must find cyber solutions that protect our national security and put patients first.

Michael J. Alkire is the president and CEO of Premier Inc., a leading health care improvement company, uniting an alliance of more than 4,350 U.S. hospitals and health systems and approximately 325,000 other providers to transform health care. With integrated data and analytics, collaboratives, supply chain solutions, consulting and other services, Premier enables better care and outcomes at a lower cost. Premier plays a critical role in the rapidly evolving health care industry, collaborating with members to co-develop long-term innovations that reinvent and improve the way care is delivered to patients nationwide. Alkire can be reached on LinkedIn.