By Linda Rouse O’Neill; Senior Vice President for Supply Chain Policy, Health Industry Distributors Association
The rising number of cybersecurity breaches in healthcare, coupled with the critical role that healthcare distributors and manufacturers play in safeguarding patient data, underscores the urgency for enhanced cybersecurity measures. This isn’t a new phenomenon. According to the HHS Office of Civil Rights, which monitors the privacy rights of patients, the number of healthcare cybersecurity breaches affecting 500 or more individuals rose by 107% from 2018 to 2022.
At HIDA’s annual Preparedness Summit, representatives of the medical supply chain heard from Commander T.J. Christl, Director of the ASPR Office of Critical Infrastructure Protection; and Jay Gazlay, Deputy Associate Director of Vulnerability Management for the Cybersecurity & Infrastructure Security Agency (CISA) within the Department of Homeland Security. These federal officials emphasized that healthcare distributors and manufacturers must invest now in cybersecurity preparedness and response.
These federal leaders in cybersecurity communicated three important lessons to business leaders at the Preparedness Summit:
- Cyber risk is business risk: Cybersecurity must be a top C-suite priority. For a healthcare distributor, a company’s senior leadership should understand that cyber risk is business risk, which impacts the ability to care for patients.
- Not if but when: Business leaders should approach cyberattacks as a certainty. It is not a matter of if cyber-criminals will attack your company, it is a matter of when. Every company should participate in a tabletop exercise that assumes the organization will be subjected to a ransomware attack, so that response plans for such a scenario are in place in advance.
- Use federal resources to be cyber-ready: Christl and Gazlay encouraged companies to take advantage of the federal government’s large suite of free resources and services. CISA can provide companies with vulnerability assessments for things like phishing and remote penetration attacks. These assessments are available to both public and private organizations at no cost, although service availability is limited. ASPR provides a Healthcare and Public Health (HPH) Sector Cybersecurity Framework Implementation Guide, as well as consensus-based best practices to strengthen the sector.
Meanwhile on Capitol Hill, HIDA is monitoring the following cybersecurity legislation that would impact the medical supply chain.
- Health Infrastructure Security and Accountability Act (Warner/Wyden): This bill would require the Department of Health and Human Services (HHS) to develop and enforce a set of tough minimum cybersecurity standards for healthcare providers, health plans, clearinghouses and business associates. It would also remove the existing cap on fines under the Health Insurance Portability and Accountability Act for healthcare corporations that ignore cybersecurity standards.
- Healthcare Cybersecurity Act (Crow/Fitzpatrick): This legislation proposes the appointment of a special liaison to HHS within CISA to increase communication and collaboration during cybersecurity incidents. It also directs CISA and HHS to make cyberthreat defense resources available to nonfederal entities.
Companies within the medical supply chain must proactively adapt to evolving cybersecurity standards and collaborate with federal agencies to mitigate risk and protect the healthcare ecosystem. HIDA continues to utilize public-private partnerships that enable healthcare distributors to leverage federal resources to protect patients and providers from cyberattacks.