Ignore Uncle Sam's 'voluntary' cybersecurity goals for hospitals at your peril

Interview If you are responsible for infosec at an American hospital or other healthcare organization, and you treat the US government's new "voluntary" cybersecurity performance goals (CPGs) as, well, voluntary, you're ignoring the writing on the wall. 

Plus, you're going to be in for a world of hurt when new regulations – which will very likely mirror these voluntary practices – take effect, according to Taylor Lehmann, a director in Google Cloud's Office of the Chief Information Security Officer.

"The benefit of the CPG is that it indicates where the ball is bouncing next, and what the standards and expectations are for what organizations should be working on," Lehmann told The Register.

Lehmann, a former CISO of Athenahealth and Tufts Medicine, said the proof is in previous federal agency rulemaking processes.

"It may not be today, but what is on HHS paper will most likely become what is in the actual final rulemaking or new regulatory requirements that become law," he said. "If you buy into the fact that voluntary doesn't mean you have to do something, you are probably going to be wrong. Voluntary goals become mandatory, and that has usually been the case with other rulemaking in healthcare as it relates to security."

In early January, as a record-breaking 46 health networks with a total of 141 hospitals between them were still reeling from ransomware infections and data theft in 2023, rumors started swirling that the White House would soon require US hospitals to meet basic cybersecurity standards before receiving federal funding.

During all of this, the criminals behind the intrusions were using their own increasingly dangerous extorion methods to force hospitals to pay ransom demands.

When asked about the hospital rules, the Centers for Medicare and Medicaid Services directed The Register to a concept paper published in December that outlines the Department of Health and Human Services' (HHS) cybersecurity strategy.

According to the paper [PDF], officials will propose new, enforceable security standards, and will work with Congress to administer financial support and incentives for hospitals to implement "high-impact cybersecurity practices," among other actions.

Later in January, HHS released the voluntary, healthcare-specific CPGs.

Essential doesn't mean easy

These goals are divided into two categories, essential and enhanced, and each has ten specific things that organizations can do to better protect themselves from cyberattacks.

The essential goals sound like base-level security – the kind of things one would hope that hospitals and clinics already have in place.

But, according to Lehmann, they are all based on real-world exploits and compromises. "Basically what the sector experienced over the last year," he said. "I'd love to say these are super obvious, but clearly they are not all being done."

They include mitigating known vulnerabilities, using multi-factor authentication, implementing email security, training employees in secure behaviors, encrypting sensitive data, and revoking credentials for employees, contractors, and volunteers when they leave the organization.

Basic incident response planning, using unique credentials, separating user and privileged accounts, and assessing vendor and supplier risks round out the essential goals.

"The point is, basics aren't always necessarily easy. The basics can be super hard," Lehmann said. 

Healthcare networks, especially those with clinics and hospitals in smaller, rural communities, aren't running modern technology stacks. Some of their equipment is decades old, and they can't afford to upgrade it or hire enough employees to support their security goals.

"The tech debt has stacked up for years, and to overcome it, in many cases, will put organizations out of business," Lehmann said. "It happened this summer."

He's referring to an Illinois hospital that said it would shut down in part because of a ransomware infection.

This isn't to say large hospitals are immune from ransomware or other cyberattacks. Case in point: CommonSpirit Health, America's second-largest nonprofit healthcare org, diverted ambulances and shut down electronic record systems at its facilities and hospitals across 21 states.

"We're going to keep struggling – that is, until the point where HHS steps in, which is what they have alluded to doing," Lehmann said.

Still, implementing even the essential goals like multi-factor authentication, for example, can present difficulties.

"How are you going to get 15,000 people to do two-factor authentication enrollment in a window of time? And with appropriate resourcing, to make sure if a catastrophic event occurs and we're in the middle of a two-factor enrollment, that we don't have to shut the hospital down? If these things aren't done well, they can have catastrophic operational impacts on really sensitive life-saving things," Lehmann said.

Another of the essential goals – revoking credentials when people leave the organization – isn't as easy as it sounds either.

"Not if you're an academic medical system where you've got five or more academic institutions, and you don't know when those students graduate, you don't know when they leave," Lehmann said. 

He added that the essential goals do "miss the point" a bit by focusing primarily on preventing attacks, instead of equally prioritizing resilience and recovery. For too long, data confidentiality, and protecting patient's PII and health information, has been seen as the only goal in securing healthcare because failing to protect confidential information is what gets hospitals in trouble with government agencies.

"Availability is equally important, if not more important, than confidentiality," Lehmann said, adding that many healthcare orgs haven't yet progressed to this way of thinking about security. "I care if my data gets breached, but I care more if I die because of it." ®