Hospitals are often concerned about sharing information about cyberattacks, even with one another, because of liability concerns, a health system CIO testified before Congress recently.

Members of the College of Health Information Management Executives want lawmakers to introduce safe harbors around conveying insights during a hack, said Scott MacLean, CIO of Columbia, Md.-based MedStar Health and chair of the College of Health Information Management Executives.

"Far too often the walls go up and organizations are forced to go into a protectionist mode given the significant liability repercussions associated with a data breach," he testified in April during a hearing about the Change Healthcare ransomware attack.

Mr. MacLean said safe harbors that allowed facts to be passed along during a cyberattack would benefit the entire healthcare industry from a "time-is-brain approach."

"It would move the attack victim from a position of isolation to one where they can freely share threat information for the common good; that will help us all ensure the threat is best contained, managed, and mitigated in a timely fashion," he said.

The Cybersecurity Act of 2015 has increased information sharing but limits that data dissemination to federal agencies and groups designed for that purpose, Mr. MacLean noted.

"We are aware of instances when a hospital experienced a cyberattack and the neighboring hospitals were not made aware because of the liability ramifications," he said. "Far too often organizations are counseled early on by their attorneys that they are not permitted to share details of their incident as doing so would open them to significant legal and regulatory risk."

Becker's recently reached out to the 25 largest health systems to ask about their response to the Change Healthcare cyberattack. All but one either didn't respond or declined to make an executive available to answer questions; Renton, Wash.-based Providence referred Becker's to a prewritten statement on its website.