The data breach notification portal maintained by HHS' Office for Civil Rights is intended to incentivize healthcare organizations to bolster cybersecurity practices lest they want to join the "Wall of Shame" after suffering a data breach. But this method of penalizing organizations is overly punitive in an ecosystem where no organization is safe from external threats, suggested Gary Horn, vice president of technical services and CTO of Downers Grove, Ill.-based Advocate Health Care.
Mr. Horn prepared a testimony for the House Committee on Oversight and Government Reform's subcommittee on information technology regarding federal efforts to improve cybersecurity.
He offered a glimpse at Advocate's own threat landscape: The health system's daily internet usage exceeds 3.6 Terabytes, in which more than 120,000 known phishing attacks, fraudulent websites and spyware websites are blocked.
While healthcare organizations take steps to defend themselves, "there is never a guarantee that a cybersecurity event cannot occur," Mr. Horn said. "When an incident does occur, the reporting entity is viewed as negligent or incompetent rather than a victim of a crime, and a stiff penalty is levied."
Instead, Mr. Horn said the country's IT efforts should be focused on bolstering the security of the ecosystem instead of burdening individual institutions.
"Because healthcare is being asked to reduce cost and improve its cybersecurity measures, it would be in the public interest that rather than a monetary fine, the monies be applied to that entities' cybersecurity continuum allowing it to swiftly and effectively address the cause of the event and enhance its cybersecurity profile," Mr. Horn said.
More articles on cybersecurity:
The top 5 cybersecurity threats hospitals need to watch for
Healthcare is a win-win target for hackers
What the immune system can teach us about cybersecurity