Share this article on:
Healthcare organizations are committing more funding to cybersecurity and are improving their defenses against cyberattacks, although there is still a long way to go before cybersecurity defenses reach the standards in other industry sectors.
Many healthcare organizations are still struggling to plug security gaps and effectively manage risk, and while large healthcare organizations are now being more proactive when it comes to cybersecurity, small to medium sized healthcare organizations are having difficulty overcoming some of the many challenges faced by the industry. As the National Institute of Standards and Technology (NIST) recently pointed out, “Many [healthcare] organizations still have a reactive stance towards cybersecurity.”
NIST is attempting to address this issue and has recently submitted a request for information on current and future states of cybersecurity in the digital economy. Its aim is to make detailed recommendations on how cybersecurity can be enhanced to improve public safety and patient privacy. NIST is also looking for ways to foster the discovery and development of new technical solutions.
The Health Information Management Systems Society (HIMSS) has recently responded to NIST’s request for information. In a letter to Commission Chair Thomas Donilon of the Commission on Enhancing National Cybersecurity at NIST, HIMSS explained the current and future cybersecurity trends, along with the specific challenges faced by the healthcare industry.
The challenges highlighted by HIMSS are summarized below
- Healthcare is Vulnerable to Cyber Attacks
- Greatest Cybersecurity Concern for the Healthcare Sector is Patient Safety
- Healthcare Organizations Still Need to Improve their Security Posture
- Aging and Outdated Technology Poses Risks to the Healthcare Sector
- Too Many Vulnerabilities in Technology to Contend with
- Third Parties Introduce Risk
- Medical Device Security is a Challenge
- Too Much Malware Exists
HIMSS explains that progress has been made and healthcare organizations do appear to be improving end point and network security, and to a lesser extent, data loss prevention and IT continuity. However, the results from its annual cybersecurity survey show that little has changed in the past 12 months and HIMSS reports growth in cybersecurity is stunted.
HIMSS has suggested areas where improvements can be made. Over the next 1-2 years HIMSS wants to see more outreach to the healthcare sector to promote federal government resources that can be used to help improve healthcare cybersecurity. It is important to make healthcare organizations aware of the cybersecurity resources on offer from the Department of Homeland Security and NIST. In the case of the latter, not only the NIST Cybersecurity Framework, but also the Critical Infrastructure Cyber Community Voluntary Program (C3VP) which can offer assistance with implementing the Framework.
HIMSS also suggests that the benefits of participating in information sharing and analysis centers (ISACs) and information sharing and analysis organizations (ISAOs) need to be explained. Better outreach to the healthcare industry is needed, which HIMSS suggests could be performed by the new Healthcare Industry Cybersecurity Task Force at the HHS.
The sharing of threat intelligence has tremendous potential to help healthcare organizations improve cybersecurity defenses. Being more proactive is essential if organizations are to effectively mitigate the risk from increasingly sophisticated and varied cybersecurity threats.
However, while information sharing is improving, there is still a long way to go. Further, the sharing of threat intelligence is only beneficial if the information being received can be understood and used to improve defenses. There is a national shortage of talented, trained, cybersecurity personnel, and the healthcare industry is struggling to recruit the best people. That must change.
In the letter, HIMSS explains that healthcare cybersecurity will be “vastly improved” with “more educated and qualified cybersecurity personnel (e.g., graduates of the National Security Agency’s Centers of Academic Excellence in Cybersecurity) and professionals (such as the CISSP, HCISPP, and other credentials).” HIMSS also suggests it is necessary to encourage “innovation with an eye towards more technology-driven solutions for cybersecurity.”
NIST hopes that after collating and assessing the responses to its RFI, it will be able to make recommendations that will help “bolster partnerships between Federal, State and local government and the private sector in the development, promotion, and use of cybersecurity technologies, policies, and best practices. “