Cybersecurity ‘Urgings’ Put Healthcare at Risk
This article originally appeared in DC Journal and across regionally syndicated publications.
The following is a guest article by Chris Bowen, Founder and CISO at ClearDATA
The ransomware attack on Change Healthcare is the most significant attack on the American healthcare system. It sent shockwaves through the industry, halting payments to affected providers. It lays bare the vulnerabilities that threaten our system’s survival. So, with deep concern for the security of patients, I address the disappointing response to this attack from the Department of Health and Human Services.
While the intent to fortify healthcare cyber-defenses is evident, the approach outlined in the HHS strategy falls astonishingly short.
In an industry that prides itself on ethical and life-saving practices, the forlorn reliance on voluntary compliance, incentives and polite urging is not just misguided; it’s a security calamity.
The HHS strategy document, replete with its “we urge you to consider this” and “we encourage the adoption of that,” reads more like an academic dissertation on idealistic cyber diplomacy than a blueprint for action in a war where the bullets are lines of code and the casualties are trust, patient records and, in some cases, human lives. And make no mistake, we are at war.
It’s as if the strategy were crafted in a world where mere suggestions have the force of law, where the word “please” is all it takes to fend off cybercriminals. One can’t help but marvel at the sheer optimism — or is it naivety — of believing that urging healthcare organizations to voluntarily beef up their cybersecurity will somehow suffice.
An annual report spotlighting the tactics top threat actors use to exploit healthcare data — doesn’t mince words. The frequency and sophistication of attacks on healthcare continue to climb. These are not chances for optional compliance; these are grave and material threats that beg for proactive, stern measures to deter and defend against them.
Urgent “suggestions” are not what fortify a country and its citizens against cyber warfare; it is mandates — clear, enforceable, non-negotiable imperatives set by regulators that define the boundaries and defenses in this digital battlefield.
The cost of not acting was vividly on display in the recent Change Healthcare cyberattack. The aftermath of the attack is a stark reminder that “urging” has no place against criminals who play fast and loose with our healthcare infrastructure that handles the most sensitive information in our lives.
The HHS strategy, laudable in its sentiment, is outright feckless in execution. Cyberthreats in healthcare don’t respect conventions; they require a forceful, proactive stance from regulators. The report demands that we treat cybersecurity not as a mere cog in the healthcare machine but as an indispensable, pivotal layer that requires our serious investment and oversight.
The 2023 Healthcare Threat Report takes the masks off today’s key Advanced Persistent Threat groups behind the Change Healthcare attack. Right now, none of us can claim “we didn’t know” when another attack like this happens, likely at any moment. We already understand these ruthless cybercriminals, they’re capabilities, and the highly coveted and vulnerable personal health data they’re after.
It’s time HHS confronts the threat without fear of special interest groups deluging regulators’ campaigns against meaningful change. It’s time to wake up and address this as the crisis that it is.
Indecisiveness or half-measures are no different from inviting the enemy in through the front door. It’s not too late — a mandatory cybersecurity framework is a clear, actionable step that would signal the seriousness of our intent to the industry. It would establish a baseline where no healthcare entity — large or small — can operate without the fortified digital defenses necessary to repel, repudiate and report on potential cyber incursions.
In matters as grave as these, we must not be beggars for compliance but enforcers of necessity. There comes a time when the call for action must rise above the chorus of urgings and translate into the language the digital landscape understands.
The time is now. The need is clear. The action is yours. The consequences of inaction, undeniably, are on us all.