Appendix: Summary of Policy Recommendations

Recommendation #3.1: The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) should showcase health systems with innovative privacy and security programs.

Rather than a punitive “Wall of Shame” philosophy that focuses on data breaches and the failures around them, OCR should emphasize positive examples of risk assessment and thinking holistically about trust. This can empower healthcare organizers by emphasizing the positive work already being done in privacy and security.

Recommendation #3.2: Provide multi-tiered information sharing for healthcare’s diverse practice environments.

Small, medium, and large providers have different needs and different capacities when it comes to addressing the privacy and security challenges of today’s healthcare sector. The American Medical Association, American Hospital Association, HHS, and other organizations should work to design information sharing systems specific to these varied needs and capacities.

Recommendation #3.3: Develop the cybersecurity equivalent of the nurse-to-patient ratio.

To guide the allocation of cybersecurity resources within health organizations, setting benchmark ratios for budget, team members, and other factors can assist organizations with less clarity on how to quantify their cybersecurity. Because of the difficulties inherent in picking metrics, HHS and other grant-making bodies should spearhead data collection to inform the design of this ratio.

Recommendation #3.4: Hold boards of directors responsible for healthcare privacy and security.

Formal reporting structures for privacy and security incidents are essential to effective oversight, and this extends to receiving top-level support from the board. Congress, through legislation, and the Centers for Medicare and Medicaid Services, through its conditions for participation, can encourage or require board engagement with privacy and security issues at each provider.

Recommendation #3.5: Ease resource sharing regulatory burdens to empower small- and medium-sized organizations.

The Anti-Kickback Statute and the Stark Law prevent health professionals from using their power of referral for their own gain, yet they also limit collaboration on cybersecurity issues. HHS and CMS should thus create regulatory exemptions that allow for cybersecurity collaboration under these laws, which will particularly benefit small- and medium-sized organizations.

Recommendation #4.1: Create a government-backed program to encourage the phasing out of legacy technologies and phasing in of secure and interoperable technologies.

Congress should work with accreditation organizations like The Joint Commission and with government agencies to produce an incentive program, perhaps through Medicare and Medicaid reimbursements, to phase out legacy systems. Stronger privacy and security requirements for replacement systems can further help bolster system cybersecurity.

Recommendation #4.2: Learn from the financial sector’s success in sector-specific cybersecurity investment, spearheaded by the National Cybersecurity Center of Excellence (NCCoE).

In the financial sector, large players with requisite capital have acquired cybersecurity companies so as to have them tailor their products to the industry’s specific needs. NIST’s NCCoE should not fund or develop the technologies, but it can serve as a coordinating body to bring together major healthcare players with the capacity to emulate the financial sector model—based on a three-tier framework of universal platform technologies, industry-specific technologies, and subsector-specific technologies.

Recommendation #4.3: Leverage a broad array of existing funding programs to spur healthcare cybersecurity basic research and innovation.

The government should spearhead the creation of a program to inform where healthcare cybersecurity may be going in the next five years, and future research strategies that could inform that thinking. This should include a net assessment of existing research and development efforts in this arena, and a focus on concentrating R&D around insider threat detection, IoT medical device security, and AI technologies for privacy and security.

Recommendation #4.4: Create mechanisms for clarifying privacy standards, providing advice, and receiving feedback from health systems.

The OCR at HHS should convene experts and stakeholders to develop better guidance and definitions around HIPAA privacy and security compliance. This can be coupled with existing punitive measures to encourage fewer violations.

Recommendation #4.5: Strengthen FDA requirements around medical device security, to ensure that security is baked-in at every point in the device’s life cycle.

The FDA should add a requirement for end-to-end secure system development lifecycle (SDLC) for medical devices, to ensure more robust security by design. This should be coupled with transitional support such as trainings, public outreach, and site visits to help steer device manufacturers towards better cybersecurity practices.

Recommendation #5.1: Amend the Cybersecurity Enhancement Act of 2014 to incentivize recipients of the CyberCorps Scholarship to serve in specific, critical need sectors like healthcare.

Congress should allow CyberCorps Scholarship recipients to pursue work outside of strictly government organizations, which would open up far more opportunities in healthcare. The Cyber Scholarship Opportunities Act (S. 754) introduced in the Senate in 2017 may help accomplish this goal.

Recommendation #5.2: The US Department of Labor, HHS, and state and local governments should enable models for cybersecurity apprenticeships in the healthcare sector.

NCCoE should coordinate the development of a framework for healthcare cybersecurity apprenticeship programs in particular (going beyond just information technology). Federal and state policymakers should then take action to incentivize the creation of such programs, including through subsidies provided to employers, tax breaks, or public service agreements similar to the CyberCorps Scholarship.

Recommendation #5.3: Create and incentivize adoption of sector-specific Centers of Academic Excellence (CAE) designated programs.

DHS and the NSA should work with stakeholders to develop specific CAE designations for higher education institutions focused on critical infrastructure sectors like healthcare. In addition to the competitive and/or brand advantage this may provide a higher education institution, Congress can incentivize pursuit of such CAE certifications by backing it with potential research funding.

Recommendation #5.4: Support an industry-wide approach for creating a healthcare cybersecurity certification.

NIST should convene stakeholders to inform the creation of a healthcare cybersecurity certification, including industry associations, training providers, professional organizations, hiring managers, and healthcare industry leadership. This certification should focus on healthcare-specific cybersecurity issues, cover the spectrum of junior and senior healthcare employees, and recognize the need for jobs doable by workers with less than five years of professional experience.

Recommendation #5.5: Create a sustainable financing model that supports healthcare providers who typically have the least concentration of cybersecurity expertise.

The federal government should develop programs to increase healthcare professional retention and rural and small- and medium-sized organizations, such as through direct grants or loan repayment programs.

Recommendation #5.6: Provide payroll tax incentives to healthcare providers to address the “brain drain” in healthcare cybersecurity.

Federal and state policymakers should offer tax incentives for organizations retaining the same cybersecurity professional in a position for a minimum number of years. Through this baseline and other possible additions like an increased benefit for each amount of time beyond the minimum, governments can encourage healthcare organizations to better staff their cybersecurity needs.

Recommendation #5.7: Empower employees with artificial intelligence and automation tools for time- and data-intensive tasks in order to maximize productivity and reduce burnout.

To maximize productivity and reduce burnout, healthcare organizations should adapt their institutional policies to focus on technologies that can automate time-intensive tasks and allow for efficient review of large patient data sets. This can enable organizations to focus their resources on other priorities like investigating incidents.