Why hospitals are tight-lipped about cyberattacks

Hospitals are often reluctant to share information about cyberattacks, even with one another, because of liability concerns, a health system CIO told Congress.

Members of the College of Health Information Management Executives want lawmakers to introduce safe harbors around knowledge exchange during hacks, said Scott MacLean, chair of CHIME and CIO of Columbia, Md.-based MedStar Health.

"Far too often the walls go up and organizations are forced to go into a protectionist mode given the significant liability repercussions associated with a data breach," he testified in April during a hearing about the Change Healthcare ransomware attack.

Mr. MacLean said safe harbors that allowed facts to be passed along during a cyberattack would benefit the entire healthcare industry from a "time-is-brain approach."

"It would move the attack victim from a position of isolation to one where they can freely share threat information for the common good; that will help us all ensure the threat is best contained, managed, and mitigated in a timely fashion," he said.

The Cybersecurity Act of 2015 has increased information sharing but limits that data dissemination to federal agencies and groups designed specifically for that purpose, Mr. MacLean noted.

"We are aware of instances when a hospital experienced a cyberattack and the neighboring hospitals were not made aware because of the liability ramifications," he said. "Far too often organizations are counseled early on by their attorneys that they are not permitted to share details of their incident as doing so would open them to significant legal and regulatory risk."

Becker's recently reached out to the 25 largest health systems to ask about their response to the Change Healthcare cyberattack. All but one either didn't respond or declined to make an executive available to answer questions; Renton, Wash.-based Providence referred Becker's to a prewritten statement on its website.

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.


Featured Whitepapers

Featured Webinars