Share this article on:
Earlier this month, the Health Care Industry Cybersecurity (HCIC) Task Force issued a pre-release copy of its upcoming cybersecurity report which outlines some of the changes that are necessary to improve resilience against cyberattacks and other data security threats. In the report the Task Force calls for ‘immediate and aggressive attention’ to tackle growing healthcare cybersecurity threats.
The HCIC Task Force was formed by Congress to address the challenges healthcare organizations face securing and protecting against intentional and unintentional cybersecurity incidents. Those incidents are a major public health concern.
Few would argue that was not the case. Just a matter of days after the report was issued, a massive global ransomware attack occurred. While U.S healthcare organizations appear to have escaped relatively unscathed, that was not the case in the United Kingdom. More than a week after many NHS Trusts had computers encrypted by ransomware, some hospital services are still being disrupted.
The report details six imperatives for improving healthcare cybersecurity and provides a number of recommendations for the healthcare industry to improve resilience against cyberattacks.
HCIC’s 6 imperatives are:
- Define and streamline leadership, governance, and expectations for health care industry cybersecurity.
- Increase the security and resilience of medical devices and health IT.
- Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
- Increase health care industry readiness through improved cybersecurity awareness and education.
- Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure.
- Improve information sharing of industry threats, weaknesses, and mitigations.
The HCIC Task Force recommends the HHS establishes a ‘cybersecurity leader’ role to oversee and guide cybersecurity efforts in the healthcare sector and suggests a new version of the National Institute of Standards and Technology (NIST) Cybersecurity Framework should be developed specifically for the healthcare industry.
The past 18 months have seen an increase in financial settlements between the HHS’ Office for Civil Rights and healthcare organizations to resolve HIPAA violations discovered during data breach investigations. However, the Task Force suggests that regulators should adopt “a more lenient approach” to security breaches that have resulted from errors to encourage the sharing of information about data breaches. If information sharing is encouraged without fear of financial repercussions, it will make it easier for the healthcare industry to learn from the mistakes of others.
To improve medical device security the Task Force is says there needs to be greater cooperation between device manufacturers and healthcare providers to inventory and secure legacy systems. Devices must also be equipped with stronger authentication controls and new strategic and architectural approaches are required to reduce the attack surface. Vendors also need to be more transparent about cybersecurity protections for the entire life cycle of medical devices.
The Task Force calls for healthcare organizations to hire qualified cybersecurity professionals and install them in leadership positions with overall responsibility for cybersecurity. However, healthcare organizations are struggling to recruit and retain cybersecurity professionals. There is a major staff shortage and not enough CISOs to fill all of the available positions. That situation must improve.
Education on the cybersecurity risks faced by healthcare organisations needs to be improved at the C-Suite level and more tools are required to help organizations manage and assess the cybersecurity protections that have been put in place. Further academic research is also needed to identify new methods of protecting healthcare information.
One key recommendation is to provide healthcare organizations with actionable intelligence that allows them to take rapid action to respond to current threats. The Task Force says there must be greater information sharing across the healthcare industry. Threat information also needs to be packaged in a way that allows individuals with part-time cybersecurity responsibilities to quickly act on intelligence and mitigate risk.
The full report is due to be released in the next few days.