In June 2017, the Health Care Industry Cybersecurity Task Force, which was established by Congress as part of the Cybersecurity Act of 2015, published its Report on Improving Cybersecurity in the Health Care Industry. The report serves as a reminder to both the medical field and the federal government that cyberthreats against healthcare providers need to be taken seriously as a matter of critical importance to both public health and national security. It stresses the serious dangers to patient safety, privacy and care that can result from deficient cybersecurity in the healthcare sector. It also highlights the dangers created by ever-increasing digital interconnectivity and the steps the industry needs to take to handle cyber-related challenges.
The report criticizes federal, state and local governments for not taking action to coordinate laws and regulations to assist healthcare providers in their quest for better cybersecurity. It calls for healthcare organizations to take responsibility for securing themselves and the data they collect, for the federal government to modernize laws and regulations in order to enable better sharing of cybersecurity risks, tips and alerts across the industry, and for patients to embrace their role in protecting their personal medical information.
The report identified six crucial cybersecurity imperatives for providers:
Define and streamline leadership, governance and expectations for healthcare industry cybersecurity
The healthcare industry is analogous to a mosaic comprising interrelated but disparate pieces that include everything from the world’s largest health systems to local doctors’ offices, from high-tech research institutions to small rural hospitals, with the diverse national patient population lying at the heart of it all. There are also dozens of federal, state and local regulatory and legal mandates that often conflict, adding to the complexity.
The task force prioritizes simplification, recommending that a cybersecurity leadership role is created within the Department of Health and Human Services so that one person is in charge of comprehensively assessing cyber risks, serving as a point of contact for the healthcare field, and promoting harmonization of regulations and guidance.
Additional recommendations include establishing a consistent cybersecurity framework for the industry, which will build upon and blend mandates currently in place from the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the HIPAA Security Rule. This would aim to strengthen and harmonize all constituents within the healthcare system and require that federal regulatory agencies work together to implement more congruent and consistent laws and regulations. The task force encourages the healthcare industry to see cybersecurity not as an external burden, but as another component of proper patient treatment, since patients are the ones at risk from disclosure of personal information or impeded care as a result of a cyberattack, and they are the focus of the healthcare industry itself.
The task force also called upon the federal government to prioritize cybersecurity in the healthcare sector, even if doing so requires significant changes to current federal law.
Increase the security and resilience of IT practices in health care
A second major focus centers on the widespread use of legacy operating systems that were developed and constructed before cybersecurity concerns became a focus. The report recommends securing these legacy systems, improving transparency so that users can have a better understanding of the component parts that comprise the systems they are using, and calling upon manufacturers to take greater initiative in managing the security risks throughout the entire lifetime of the product rather than just at inception. The report also encourages the healthcare sector to strengthen authentication methods. Healthcare professionals often use simple passwords as their sign-in credentials. Instead, the report advocates a two-step authentication approach to passwords that would be more difficult to breach.
Develop the workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities
The third imperative stresses the importance of cybersecurity education at every level in the industry and prioritizes the need for recruiting, training and retaining cybersecurity experts in the field. Task force recommendations include creating cybersecurity leadership roles within healthcare organizations, developing a workable ratio of cybersecurity experts to healthcare workers in the field, and designing new cybersecurity education programs with certifications in the medical sector. The individualized needs of different healthcare providers should be taken into account, along with qualities such as organization size and available resources. This maintains a focus on the unique complexity and interrelatedness of the healthcare industry without losing sight of the fact that all entities, large or small, must remain equally secure to ensure the safety of patient information that is used and shared by so many.
Improve cybersecurity awareness and education to increase healthcare industry readiness
This imperative reinforces the need for the healthcare industry to prioritize cybersecurity and implement a holistic strategy to combat the dangers of cyber breaches and attacks. A proactive approach is often easier and less costly than a reactive one, especially as cyber risks continue to evolve, especially in the healthcare arena.
Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure
The healthcare industry invested $158.7 billion in healthcare-related R&D in 2015 alone. Such heavy investment has made the healthcare industry an increasingly attractive target for intellectual property and trade-secret theft.
Improve information-sharing of industry threats, vulnerabilities and mitigations
The report also focuses on the interrelatedness of the industry itself, calling upon the need to share information of industry threats, weaknesses and mitigation. Recommendations include broadening the scope of safety information dissemination and encouraging annual readiness by engaging in exercises to prepare the industry for attacks.
Prevention and preparation
Prevention is key to both mitigation of cyberthreats and recovery from a breach. A healthcare entity that knows the risks and controls the data flowing both within and outside its walls is better equipped to protect sensitive data, mitigate possible security incidents and, most importantly, assure the safety and security of its patients.
In addition to the imperatives outlined in the report, healthcare entities should:
- Implement a holistic approach to cybersecurity throughout the organization, with a focus on patient care.
- Properly train and retrain employees on cybersecurity best practices.
- Minimize users’ access to only the data and systems necessary to do their jobs, and closely monitor access controls to help contain the spread of initial infections.
- Implement data loss prevention and intrusion detection systems.
- Implement, practice and update incident response and business continuity plans.
- Quickly deploy incident response teams while protecting attorney-client privilege.
- Implement regular and offsite data backup procedures.
- Update systems and software with current patches, since any intrusion can spread easily when it encounters unpatched or outdated software.
By addressing the imperatives outlined in the report and following the recommendations above, healthcare entities should be in a better position to address their cybersecurity risks.