Congressional Insight into Strategy to Combat Cyberattacks on the Healthcare Industry

Misty Peterson, Natalie Willis
King & Spalding
Contact
LinkedIn
Facebook
X
Send
Embed

On April 16, 2024, the House Committee on Energy and Commerce held a bipartisan hearing on the issue of cyberattacks involving healthcare providers.

The Committee called as witnesses cybersecurity professionals and representatives of the healthcare industry. All explained that the nature of the industry makes it vulnerable to attack. Many medical devices and platforms are connected to the internet using software from third party vendors that contain vulnerabilities a bad actor can exploit. The Committee witnesses explained that healthcare workers rarely have the expertise to identify or address vulnerabilities in their technology, so vendors must take care to make it as secure as possible before it ships. Moreover, technology systems must be maintained to remain safe, which requires ongoing investment. Some in the healthcare industry bring on a Managed Security Service Provider (“MSSP“) and outsource the monitoring and management of technology and systems.

Members of the Committee and several witnesses queried whether vertical integration may play a role in creating cyberattack vulnerability. Some Committee members issued a call to arms to the FTC to take a critical look at vertical integration when approving mergers.

The witnesses agreed that Congress did not need to pass more laws, but the healthcare industry needed to adopt existing best practices and optional frameworks, like the Health Industry Cybersecurity Practice (“HICP”) 405(d) framework set out by HHS. New requirements for reporting data breaches would further incentivize healthcare systems to invest in security. Committee members and witnesses alike discussed the need for further government funding to invest in security for rural hospitals that lack the funding and expertise to harden their systems.

Witnesses also noted that federal agencies like the FBI and the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (“CISA”) help entities when they experienced a breach, but there was no equivalent of “calling 911” to assemble a rapid response team. CISA has designated the healthcare industry as critical infrastructure vital to the function of the United States. Thus, in the Committee’s view the government needs to take an aggressive response toward bad actors since many are sponsored or shielded by hostile nation-states.

Given the inevitability of future cyberattacks, Committee members asked what solutions would help the healthcare industry bounce back faster from future cyberattacks. Ostensibly straightforward plans like restoring from backup files are not as simple as they seem, especially if the bad actors have not been thoroughly evicted from the system. It was clear that, in addition to back up files, any breached entity would need a plan and an experienced team to implement it.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:

King & Spalding
King & Spalding
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide