Why HHS’ Cybersecurity Concept Paper Falls Short for Healthcare

This article originally appeared in Healthcare IT Today.

The following is a guest article by Chris Bowen, Founder and CISO at ClearDATA

The recent Cybersecurity concept paper from HHS, while a gesture towards progress, falls critically short of what’s imperative in today’s climate. In an era where the HHS itself notes a 93% increase in large healthcare data breaches from 2018 to 2022, as well as a 278% increase in those that involve ransomware, suggesting “voluntary cybersecurity goals” is akin to applying a band-aid on a hemorrhage. It’s time for HHS to mandate and enforce rigorous, prescriptive cybersecurity standards.

First and foremost, if you’re treating patients, there should be a clear mandate for certain minimum cybersecurity standards. For example, in the healthcare industry, we have to abide by HIPAA — a law that helps protect the privacy and security of people’s health information. We can’t serve our patients if we don’t ensure that protected health information (PHI) is kept private.

For healthcare organizations, and those organizations that support healthcare, some minimum cybersecurity standard mandates should include not simply addressable, but required encryption, and in flight with up-to-date encryption algorithms. Implementing granular role-based access, multi-factor authentication (MFA), network segregation, and robust and effective disaster recovery measures that are tested regularly can also help increase resiliency should a ransomware attack occur.

The HHS also outlines its intentions to seek funding from Congress to provide the necessary resources to protect our health system. I agree that healthcare organizations can definitely use the resources, as they are faced with reduced margins. Moreover, the sector’s talent gap in cybersecurity is no secret, and it places our hospitals at a disadvantage, jeopardizing patient safety.

To help close this talent gap, Senator Mark Warner from Virginia, who co-founded the bipartisan Senate Cybersecurity Caucus in 2016, in his policy paper, Cybersecurity is Patient Safety, calls for Congress to, “consider establishing a workforce development program that focuses specifically on healthcare cybersecurity, due to cybersecurity workforce shortage happening across industries,” among other industry-incentivizing programs. It’s new approaches and ideas like these that will build a skilled workforce that is ready to protect the healthcare delivery system from existing and future cybersecurity threats.

The HHS goes on to propose a strategy to support greater enforcement and accountability. The last thing resource-constrained hospitals need for accountability are more fines because a bad actor infiltrated their systems while they are trying to serve patients – and then pass along those costs to patients.

Instead of playing defense by extracting funds from the healthcare system – which also penalizes the hospital systems by further reducing resources to protect against cyber-attacks – we need to play offense and look at how we can take bad actors offline before they have a chance to attack.

Finally, the HHS looks to expand and mature the healthcare cybersecurity support function within the Administration of Strategic Preparedness and Response (ASPR). Here I agree – we can use all the help we can get. Protecting lives extends beyond the physical realm; it encompasses shielding patients from the lethal threat of cyber-attacks. To accept minimum, voluntary standards is to tacitly endorse a status quo that endangers our patients. This isn’t just about data; it’s about lives. The time for half-measures is over. We owe it to our patients to fortify our defenses with the utmost urgency and resolve. They depend on us in their most vulnerable moments; we cannot let them down.

About Chris Bowen

Chris Bowen is an accomplished executive with over 20 years of experience in healthcare technology, security, and privacy. Bowen’s expertise spans multiple public cloud platforms and is known for his passion for protecting patient privacy and ensuring health data security. He is a sought-after speaker at national industry events and webinars on topics spanning health data security, legislation, and AI in healthcare.

His visionary leadership has shaped the course of ClearDATA, making it the only Cloud Security Posture Management company specifically focused on protecting patient data. Before establishing ClearDATA, Bowen served as the CEO of software development company DirectClarity and laid the foundation for the European market of First Solar.

Known for his patient-first approach, Bowen’s contributions to the healthcare cybersecurity sector have not only won him recognition in the industry but also made him a sought-after speaker at national events. His expert insights are regularly featured in prestigious media outlets including The Washington Post and The Wall Street Journal, and he is a well-known advocate for policies that ensure data protection with the rise of generative AI tools in healthcare Bowen is a proud member of several noted industry associations and is a proud alumnus of Arizona State University, the Harvard of the West.