Expert Tells House Committee: "Healthcare Cybersecurity is Worse Than Reported"

TENAFLY, N.J.--(BUSINESS WIRE)--"Cybersecurity in the healthcare industry is far worse than what is reported," the Subcommittee on Oversight and Investigations of the House Committee on Energy and Commerce learned yesterday from Terence M. Rice, Vice President and Chief Information Security Officer (CISO) at Merck & Co., Inc. Solving the problem will require public-private collaboration and transparency.

Citing that the 2016 IBM Cyber Security Intelligence Index named the healthcare industry as the single most attacked industry, Rice explained reasons that media reports underrepresent the risk faced by industry. They include organizational concerns about reputational damage; the presence of smaller businesses whose limited resources allow them to deal only with basic cybersecurity issues; increased security risk due to the portability of healthcare information; and increased opportunities for attack due to the proliferation of software in the healthcare ecosystem.

His testimony identified existing initiatives that are the foundation for greater healthcare cybersecurity. These include:

• The Department of Health and Human Services (HHS) Sector Coordinating Council, which regularly discusses cybersecurity developments.
• NH-ISAC, a coalition of 200+ companies proactively sharing actionable intelligence and collaborating on ways to more effectively secure “big data” within the healthcare industry.
• SAFE-BioPharma Association, a coalition of pharmaceutical companies which, in collaboration with FDA, National Institute for Standards and Technology (NIST), General Services Administration (GSA), and regulators in the European Union and Japan, developed a digital identity and digital signature standard assuring integrity, identity trust, and non-repudiation of digitally signed documents. A new version of the SAFE-BioPharma identity standard creates a trusted identity ecosystem that will allow the healthcare sector to meet levels of security based on NIST and GSA standards.

Among the areas of opportunity he recommended to enhance greater partnership and collaboration are:

1. HHS appointment of a Healthcare Sector Cybersecurity Liaison to the private sector.
2. A more thorough and detailed appendix added to the existing Healthcare and Public Health Sector Specific Plan. It will help public and private sector entities develop their own cybersecurity incident response plans.
3. Increase the quality of cybersecurity intelligence and the speed with which it is shared.
4. Smaller and more frequent HHS Cybersecurity Table Top Exercises and Simulations to include a broader array of healthcare firms.
5. Implement a digital healthcare identity based on an existing and proven government and private sector standard. Government agencies and larger healthcare firms should build out the healthcare identity ecosystem by implementing existing healthcare digital identity standards. Such an ecosystem would not only significantly improve cybersecurity, but streamline business processes and rationalize the current fragmented, redundant identity trust issue in healthcare
6. HHS, NIST and private sector need to produce a set of guidelines for the implementation of the NIST Cybersecurity Framework within healthcare entities.
7. HHS and private sector should engage with peers in other countries to ensure adoption of common cybersecurity standards and to identify ways to share threat intelligence more broadly across borders.
8. Recruit departing military personnel to fill the estimated 200,000 open U.S. cybersecurity positions. HHS, DHS, and other sector specific agencies can work with private industry to identify critical cybersecurity roles within the private sector and fill them with qualified departing military personnel.

Terence Rice has been involved in healthcare cybersecurity for more than fifteen years. In addition to his role as Vice President and Chief Information Security Officer (CISO) at Merck & Co., Inc., Mr. Rice participates in a number of public-private partnerships working to improve cybersecurity across the healthcare sector. These include SAFE-BioPharma Association, where he is Chairman of the Board; National Health-Information Sharing and Analysis Center (NH-ISAC), where he serves on the Board of Directors; the Healthcare Sector Coordinating Council (SCC); and the Healthcare Industry Cybersecurity Task Force, the latter of which was created by the Cybersecurity Information Sharing Act of 2015.

To read Mr. Rice's entire testimony click here.