Cybersecurity in the health care arena is proving more difficult as hackers forge ahead of responses to those threats, and some believe that medical devices and electronic health records are unusually susceptible to hacking. Leo Scanlon, deputy chief information security officer at the Department of Health and Human Services, said in a congressional hearing that health care IT systems in the U.S. were not as badly compromised by the WannaCry ransomware as those in other nations, but he added that "in part, it was probably good luck" that the U.S. was not more severely affected.
The House Energy and Commerce Committee's oversight and investigations subcommittee met June 8 to review a pair of reports dealing with cybersecurity, a response to legislation passed in 2015. Congress passed the Cybersecurity Act of 2015 in December that year as part of a spending bill for FY 2016, which among other things provided a means by which the federal government, state government, and private-sector entities can share information about security threats.
The FDA's device center likewise has moved to encourage sharing of cybersecurity threat information, including the completion of a guidance dealing with device cybersecurity, which likewise drew to a conclusion in December 2016. (See BioWorld MedTech, Dec. 29, 2016.)
Scanlon said the disparity in the aggregate effects of WannaCry between nations was not a question of the spread of the ransomware, but was more a question of a disparity in impact. The health care sector, he said, "is particularly sensitive to ... the Internet of things," remarking that many of the items captured in that expression were not designed to communicate with other devices.
"We can patch our systems without a great deal of difficulty," Scanlon said of IT systems generally, but he said patches for health care applications require more diligence up front to ensure they will not engender any unforeseen problems. "Devices that were un-patched were impacted by this in a very severe way," he said of WannaCry, adding that the difficulty of getting patches to these systems was a factor as well.
Representatives of government must "get on the road" and communicate with device makers and publishers of electronic health record software to encourage more engagement, Scanlon said, observing that a misunderstanding of federal policies allowed device makers to believe that the FDA "does not allow you to patch a device" unilaterally. He said the FDA "has made great efforts to demystify" that issue, but more outreach may be indicated. "We feel there is a need for much better communication" regarding these issues, Scanlon said, explaining that the department will develop "plain-language guidance" that will take the edge off the private sector's anxiety on this score.
When asked about the FDA's cybersecurity capability, Scanlon said the FDA response to a recent GAO audit "was robust and vigorous," stating that the agency is forming a cybersecurity capability staffed with first-rate analysts. He also stated, however, "we're always looking for funds to support these activities."
Subcommittee chairman Rep. Tim Murphy (R-Pa.), noted that the government's interest in cybersecurity "ultimately comes down to patient safety," which may have been a nod to security issues associated with several electronic medical devices as noted in the subcommittee's background memo. He said the second of two congressionally mandated reports on cybersecurity capability had concluded that health care cybersecurity "is in critical condition."
Murphy added, "frankly we're lucky the United States was largely spared" the damage associated with WannaCry, adding that all entities, "large and small," must be involved. Rep. Greg Walden (D-Ore.), chairman of the full Energy and Commerce Committee, was in attendance, remarking that health care IT security "is in critical condition," thus underscoring the committee's emphasis on the issue.
Steve Curren, director of the Division of Resilience at the Department of Health and Human Services, said private organizations are wary of sharing information about cyber vulnerabilities with the federal government for fear of legal liability, and that government agencies must more effectively communicate the protections available to the private sector in such instances. He said the protections in the 2015 cybersecurity law go a long way toward that.
Small and rural health care organizations are especially in need of cybersecurity assistance, Curren continued, which prompted the issuance of an HHS grant to help with information sharing for these organizations that struggle with the resource issues. Scanlon said HHS had issued a series of one-page papers for the WannaCry episode in real time for health care organizations that need the assistance, adding that even some larger provider organizations may find themselves compromised by some of the phishing and other attack types commonly associated with these cyber threats.