Cybersecurity experts to Congress: Incentives will lead healthcare industry to share threat data
To promote information sharing in the healthcare industry, Congress should not only foster a collaborative culture, but it should provide financial incentives to organizations committed to sharing threat information, security experts told officials during Congressional Energy and Commerce Committee hearing on healthcare cybersecurity Tuesday.
Congress should provide organizations tax breaks for Information Sharing and Analysis Centers, educate the industry on the importance of information sharing, protect data shared through ISACs and advocate for public-private partnerships, said Denise Anderson, president of the National Health Information Sharing and Analysis Center.
“It’s become increasingly apparent that the industry needs a government representative who understands cybersecurity issues, threats, vulnerabilities and impacts, as well as the blended threats between physical and cybersecurity,” said Anderson.
[SPECIAL REPORT: Ransomware rising, but where are all the breach reports?]
In addition, Congress should create permanent cybersecurity liaisons and leaders who are experienced and certified cybersecurity professionals, Anderson said.
Congress should also provide better legal protections for organizations to health officials who share breach data, she said.
Cybersecurity threats are rampant in the healthcare industry and sharing threat information is an important tactic to overcoming these vulnerabilities, said Terry Rice, vice president of IT risk management and cybersecurity for Merck.
Michael McNeil, global product security and services officer for Royal Phillips, said criminal tampering with medical devices and data puts patient lives in danger.
Specifically, medical device manufacturers should collaborate and agree upon a set of standards and regulatory requirements to bolster cybersecurity, McNeil said.
“The total number of cybersecurity incidents is significantly underreported,” Rice said. This is due to a number of reasons, such as limited requirements on when data needs to be reported.
Further, many of these organizations are financially unable to combat basic cybersecurity issues, he explained. Often, these smaller organizations are faced with purchasing necessary medical equipment or the latest cybersecurity tool.
“Neither private industry nor the government can solve this issue alone,” Rice said. “We must work collaboratively and transparently to reduce this risk.”
However, other ISAC barriers exist. Entrepreneurs will unlikely join an ISAC if a membership fees cost $1,000 or more, said Rep. Chris Collins, R-NY.