Final Healthcare Cybersecurity Task Force Report Details 6 Imperatives to Improve Security

The Health Care Industry Cybersecurity (HCIC) Task Force was formed by Congress, as required by the Cybersecurity Act of 2015. The purpose of the HCIC Task Force is to address the cybersecurity challenges faced by the healthcare industry and help the healthcare industry improve cybersecurity defenses and prevent security breaches.

The Cybersecurity Information Sharing Act of 2016 required the Health Care Industry Cybersecurity Task Force to issue a report detailing improvements that can be made to improve cybersecurity in the healthcare industry. The final version of the report was released on Friday June 2.

The HCIC Task Force explains in the report that the high number of hacking incidents, ransomware attacks and data breaches reported to the Department of Health and Human Services’ Office for Civil Rights in recent years clearly show the healthcare industry is struggling to secure networks and data.

The HCIC Task Force says many healthcare organizations believe cybersecurity vulnerability is low. Recent breaches and ransomware attacks have shown that assumption is false. While recent data breaches have highlighted the very real risk of security incidents and data breaches, addressing vulnerabilities and improving security is a major challenge.

Most healthcare organizations have extremely limited budgets and lack highly skilled cybersecurity personnel.  Infrastructures make it difficult to identity and track threats and a lack of skilled staff means many healthcare organizations cannot easily translate threat data into actionable information. Even if threat information can be turned into actionable information, many organizations do not have the capability to act on that information.

However, these cybersecurity threats place the safety of patients at risk. Recent ransomware attacks have shown that access to patient data can be blocked, while vulnerabilities in medical devices could be exploited to cause patients serious harm. The report says, “health care cybersecurity is a key public health concern that needs immediate and aggressive attention.”

Prior to writing the report, the HCIC Task Force consulted experts from other critical infrastructure sectors and received briefings on strategies and safeguards that could be implemented to address key cybersecurity threats. The Task Force also spoke with stakeholders on the challenges faced by the healthcare industry.

One of the key problems identified in those discussions is severe budgetary constraints. That means healthcare organizations are faced with a choice of purchasing cybersecurity technologies to secure networks and data or buying new, much needed medical equipment or paying staff costs.

However, if vulnerabilities are not addressed and action not taken to improve security the safety of patients will be placed at risk.

In a recent blog post, Steve Curren, Director of the Division of Resilience in ASPR’s Office of Emergency Management, said “The Office of the Assistant Secretary for Preparedness and Response understands that healthcare facilities are facing these challenges right now and we have developed a collection of peer-reviewed resources on cybersecurity to help healthcare industry stakeholders better protect against, mitigate, respond to, and recover from cyber threats, in order to better defend patient safety and operational continuity.“

Task Force Co-Chairs Emery Csulak and Theresa Meadows explained that “While much of what we recommend will require hard work, difficult decisions, and commitment of resources, we will be encouraged and unified by our shared values as health care industry professionals and our commitment to providing safe, high quality care.”

In the report, the HCIC Task Force made several recommendations to improve healthcare cybersecurity and detailed six high-level imperatives:


The authors say, “The successful implementation of these recommendations will require adequate resources and coordination across the public and private sector. Once implemented, the recommendations will increase security for the health care industry’s organizations, networks, and associated medical devices.”

The report has changed little from the pre-release version released early last month. The final version of the 88-page report can be viewed on this link.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.