In June 2017, the Health Care Industry Cybersecurity Task Force, which was established by Congress as part of the Cybersecurity Act of 2015, published its Report on Improving Cybersecurity in the Health Care Industry. The report serves as a reminder to both the medical field and the federal government that cyberthreats against health care providers need to be taken seriously as a matter of critical importance to both public health and national security. It stresses the serious dangers to patient safety, privacy and care that can result from deficient cybersecurity in the health care sector. It also highlights the dangers created by ever-increasing digital interconnectivity, and the steps the industry needs to take to handle cyber-related challenges.
The report criticizes federal, state and local governments for not taking action to coordinate laws and regulations to assist health care providers in their quest for better cybersecurity. It calls for health care organizations to take responsibility for securing themselves and the data they collect, the federal government to modernize laws and regulations in order to enable better sharing of cybersecurity risks, tips and alerts across the industry, and for patients to embrace their role in protecting their personal medical information.
The report identified six crucial cybersecurity imperatives for providers:
1. Define and streamline leadership, governance and expectations for health care industry cybersecurity.
The health care industry is analogous to a mosaic comprising interrelated but disparate pieces that include everything from the world’s largest health systems to local doctors’ offices, from high-tech research institutions to small, rural hospitals, with the diverse national patient population lying at the heart of it all. There are also dozens of federal, state and local regulatory and legal mandates that often conflict, adding to the complexity.
The task force prioritizes simplification, recommending that a cybersecurity leadership role be created within the Department of Health and Human Services so that one person is in charge of comprehensively assessing cyberrisks, serving as a point of contact for the health care field, and promoting harmonization of regulations and guidance.
Additional recommendations include establishing a consistent cybersecurity framework for the industry, which will build upon and blend mandates currently in place from the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the HIPAA Security Rule. This would aim to strengthen and harmonize all constituents within the health care system and require that federal regulatory agencies work together to implement more congruent and consistent laws and regulations. The task force encourages the health care industry to see cybersecurity not as an external burden, but as another component of proper patient treatment, since patients are the ones at risk from disclosure of personal information or impeded care as a result of a cyberattack, and they are the focus of the healthcare industry itself.
The task force also called upon the federal government to prioritize cybersecurity in the health care sector, even if doing so requires significant changes to current federal law.
2. Increase the security and resilience of IT practices in health care.
A second major focus centers on the widespread use of legacy operating systems that were developed and constructed before cybersecurity concerns became a focus. The report recommends securing these legacy systems, improving transparency so that users can have a better understanding of the component parts that comprise the systems they are using, and calling upon manufacturers to take greater initiative in managing the security risks throughout the entire lifetime of the product rather than just at inception. The report also encourages the health care sector to strengthen authentication methods. Health care professionals often use simple passwords as their sign-in credentials. Instead, the report advocates a two-step authentication approach to passwords that would be more difficult to breach.
3. Develop the workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
The third imperative stresses the importance of cybersecurity education at every level in the industry and prioritizes the need for recruiting, training and retaining cybersecurity experts in the field. Task force recommendations include creating cybersecurity leadership roles within health care organizations, developing a workable ratio of cybersecurity experts to health care workers in the field, and designing new cybersecurity education programs with certifications in the medical sector. The individualized needs of different health care providers should be taken into account, along with qualities such as organization size and available resources. This maintains a focus on the unique complexity and interrelatedness of the health care industry without losing sight of the fact that all entities, large or small, must remain equally secure to ensure the safety of patient information that is used and shared by so many.
4. Improve cybersecurity awareness and education to increase health care industry readiness.
This imperative reinforces the need for the health care industry to prioritize cybersecurity and implement a holistic strategy to combat the dangers of cyberbreaches and attacks. A proactive approach is often easier and less costly than a reactive one, especially as cyberrisks continue to evolve, especially in the health care arena.
5. Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure.
The health care industry invested $158.7 billion in health care-related R&D in 2015 alone. Such heavy investment has made the health care industry an increasingly attractive target for intellectual property and trade-secret theft.
6. Improve information-sharing of industry threats, vulnerabilities and mitigations.
The report also focuses on the interrelatedness of the industry itself, calling upon the need to share information of industry threats, weaknesses and mitigation. Recommendations include broadening the scope of safety information dissemination and encouraging annual readiness by engaging in exercises to prepare the industry for attacks.
Prevention and Preparation
Prevention is key to both mitigation of cyberthreats and recovery from a breach. A health care entity that knows the risks and controls the data flowing both within and outside its walls is better equipped to protect sensitive data, mitigate possible security incidents and, most importantly, assure the safety and security of its patients.
In addition to the imperatives outlined in the report, health care entities should:
- Implement a holistic approach to cybersecurity throughout the organization, with a focus on patient care.
- Properly train and retrain employees on cybersecurity best practices.
- Minimize users’ access to only the data and systems necessary to
- do their jobs, and closely monitor access controls to help contain the spread of initial infections.
- Implement data loss prevention and intrusion detection systems.
- Implement, practice and update incident response and business continuity plans.
- Quickly deploy incident response teams while protecting attorney-client privilege.
- Implement regular and offsite data backup procedures.
- Update systems and software with current patches, since any intrusion can spread easily when it encounters unpatched or outdated software.
By addressing the imperatives outlined in the report and following the recommendations above, health care entities should be in a better position to address their cybersecurity risks.