This article originally appeared in HIT Consultant

By Chris Bowen, Founder and CISO, ClearDATA

 

The recent $50 million initiative announced by the Advanced Research Projects Agency for Health (ARPA-H) can’t hurt in the ongoing battle against ransomware in the healthcare sector.

This investment is aimed at strengthening the cybersecurity defenses of hospitals nationwide, protecting sensitive patient data, and enhancing the resilience of healthcare systems against cyber threats. However, I must emphasize that while $50 million is a step in the right direction, it is merely a drop in the bucket given the scale of the problem.

For years, the healthcare sector has been a prime target for cybercriminals, with ransomware attacks becoming alarmingly frequent and increasingly destructive. Major organizations like Change Healthcare and Ascension have faced significant disruptions due to these breaches.

The 2023 Ponemon Institute report indicates that 45% of healthcare organizations experienced a ransomware attack, with 67% of those incidents causing significant disruptions to patient care.

These attacks not only compromise patient data but also jeopardize the delivery of essential healthcare services, potentially endangering lives. The introduction of ARPA-H’s Universal PatchinG and Remediation for Autonomous DEfense (UPGRADE) program is a timely and necessary intervention.

A Proactive Approach to Cybersecurity

The UPGRADE program aims to develop a comprehensive and scalable software suite to enhance the cybersecurity posture of hospitals. By reducing the patching time for vulnerable healthcare products from months to mere days, UPGRADE seeks a transformative shift in how hospitals can defend against cyber threats.

The initiative focuses on four key areas:

  • creating a vulnerability mitigation platform
  • developing high-fidelity digital twins of hospital equipment
  • rapidly detecting software vulnerabilities
  • developing defenses for each identified vulnerability

These technical goals represent a proactive approach to cybersecurity, moving away from the reactive measures that have characterized the healthcare sector’s responses in the past. For instance, developing digital twins will allow hospitals to simulate and test the impact of patches and updates in a controlled environment, thereby reducing the risk of unintended consequences that could disrupt patient care and providing hospital staff and patients with much-needed confidence and peace of mind.

Penalties Are Counterproductive

Despite the strategic direction of the UPGRADE program, it is crucial to reconsider how regulatory bodies like the Office for Civil Rights (OCR) approach cybersecurity in healthcare. Historically, the OCR has imposed fines on healthcare providers following data breaches, a strategy that often feels punitive rather than supportive.

In 2022, the OCR imposed a total of $15 million in fines on healthcare entities for non-compliance with HIPAA, leading to data breaches.

This punitive approach is fundamentally flawed. It is disheartening to see healthcare providers penalized in the aftermath of cyberattacks, especially when they are already grappling with the financial and operational fallout of such incidents. Fines do nothing to prevent future attacks or aid in recovery; instead, they divert resources away from critical security enhancements.

The Real Solution: Collaboration

Rather than focusing on penalties, the OCR should emphasize collaboration and support. By working closely with HHS and leveraging initiatives like UPGRADE, regulatory bodies can help healthcare organizations build robust defenses against cyber threats.

The $50 million allocated to the UPGRADE program is a step towards addressing these threats but is just the beginning.

Continuous investment in cybersecurity, combined with a collaborative approach between regulatory bodies and healthcare organizations, is crucial for building a resilient healthcare system.

A study by the Cybersecurity and Infrastructure Security Agency (CISA) found that 82% of healthcare organizations reported an increase in cyberattacks over the past two years, with phishing and ransomware being the most prevalent threats.

Considering that healthcare is one of the most data-rich and yet data-vulnerable sectors, we need more than just fines and reprimands – we need a unified front.

About Chris Bowen

Chris is the Founder and Chief Information Security Officer at ClearDATA. He leads ClearDATA’s internal privacy, security and compliance strategies as well as advises on the security and privacy risks faced by customers, which include global healthcare organizations, health insurance companies, providers, life science companies, and market-leading innovators from Asia Pacific, North America, and Europe. Mr. Bowen also leads ClearDATA’s international security risk consulting practice and has provided counsel to some of the world’s largest healthcare organizations.

He is a Certified Information Privacy Professional (CIPP/US) and Certified Information Privacy Technologist (CIPT) from the International Association of Privacy Professionals (IAPP), and Certified Information Systems Security Professional (CISSP) and a Certified Cloud Security Professional from (ISC)2. As one of the leading experts on patient privacy and health data security, Chris has authored dozens of articles and is a frequent speaker at national healthcare industry events.