Where healthcare cybersecurity can improve in 2017

On June 2nd, the Healthcare Industry (HCIC) Task Force released its long awaited report on the status of cybersecurity in healthcare. In the report, the Task Force outlined six imperatives for the healthcare industry. This blog post will outline the relevant content of that report.

As part of the passage of Cybersecurity Act of 2015, a Healthcare Cybersecurity Task Force was formed.

• Analyze the healthcare cybersecurity problem, analyze other healthcare sectors’ approaches to cybersecurity;
• Review challenges in regard to securing connected medical devices and other software or systems that connect to electronic health record systems
• Establish a cybersecurity information sharing plan for the healthcare industry.

In the report, the Task Force saw that healthcare organizations have a unique challenge when it comes to cybersecurity threats. Cybersecurity for healthcare has to protect the confidentiality, availability, and integrity of health information in the event of cyber threats, ransomware or a data breach. In addition to this complexity in the health sector, organizations that offer health and human services have to consider safety of patients as well. Other barriers that the healthcare industry and health system faces when it comes to cybersecurity are:

• Cybersecurity and information technology is not well understood
• Lack of resources (financial and personal)
• Lack of vendor support
• A unique legal and regulatory environment that at times can seem patchwork and duplicitous

With the growth and challenges that comes with IT adoption in healthcare, the Task Force laid out six imperatives that the public health sectors and private sectors need to consider to reduce their cybersecurity risk. Below is the summary of those imperatives and some of the recommendations the Task Force suggested.

Imperative 1: Define and streamline leadership, governance, and expectations for healthcare industry cybersecurity.

The Task Force observed that healthcare lacks a cybersecurity executive to implement leadership and uniformity amongst healthcare providers for adoption of a cybersecurity framework.

Recommendations:

• Need for a cybersecurity leader role within HHS to align the industry’s efforts for healthcare cybersecurity and security awareness
• Adoption of NIST cybersecurity framework for consistency and consensus
• Require government regulatory agencies (such as the Department of Health and Human Services, the National Institute of Standards and Technology, Congress, the FBI, etc.) to work together to harmonize existing and future laws that affect healthcare cybersecurity
• Identify scalable best practices for governance of cybersecurity across the healthcare industry

Imperative 2: Increase the security and resilience of medical device cybersecurity and health IT

Due to various reasons, such as misalignment of the vendor's SDLC and healthcare provider's budget, many providers still have legacy EHR systems and medical devices in use. These legacy systems and devices present a risk, but proper risk management can eliminate this.

Recommendations:

• Secure legacy systems
• Require stronger authentication to improve identity and access management of healthcare workers, patients, and medical devices/EHR
• Establish a Medical Computer Emergency Readiness Team (MedCERT) to coordinate medical device specific responses to cybersecurity incidents and vulnerability disclosures

Imperative 3: Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities

Healthcare faces a huge challenge in developing and finding a qualified workforce to address the growth and challenges in IT adoption.

Recommendations:

• Identify a CISO, if organizations can’t they should consider retaining a shared or third party CISO
• Small and medium-sized health care providers should evaluate options to migrate patient records and legacy systems to secure environments (e.g., hosted, cloud, shared computer environments)

Imperative 4: Increase health care industry readiness through improved cybersecurity awareness and education

Cybersecurity can be an enabler for the health care industry, supporting both its business and clinical objectives, as well as facilitating the delivery of efficient, high-quality patient care. However, this requires a holistic cybersecurity strategy. Organizations that do not adopt a holistic strategy not only put their healthcare data, data security, organizations, and reputation at risk, but also – most importantly – the welfare and safety of their patients. Achieving a holistic cybersecurity strategy requires an educated workforce (with proper cybersecurity training) and an informed public who make evidence-based decisions that are reliant on cyber-secure data.

Recommendations:

• Develop an executive education program targeting executives about the importance of cybersecurity and best cybersecurity practices

Imperative 5: Identify mechanisms to protect R&D efforts, protected health information and intellectual property from attacks or cyber security breaches

Each year, the healthcare industry makes massive financial investments in R&D. This presents a lucrative target for security breaches fixating on intellectual property and trade secret theft.

Recommendations:

• Invest in finding methods to protect healthcare data and health care big data sets

Imperative 6: Improve information sharing of industry threats, risks, and mitigations

Information sharing is a challenge in healthcare for two reasons. First, a large sector of the healthcare industry are small and medium size businesses with little to no cybersecurity expert on staff. Second, currently there is no single entity within healthcare tasked with providing a solution for comprehensive information sharing. Healthcare can no longer ignore the threat and needs to share the necessary information. We’re only as strong as our weakest link.

Recommendations:

• Information sharing should be tailored for consumption by small and medium providers
• Annual readiness exercise should be encourage. Currently most providers are not doing them

In summary, the Task Force report laid out the gaps and challenges within healthcare cybersecurity and how to address them. Considering the rise in cyberattacks in healthcare recently, it is crucial that the industry as a whole begin to implement some of these imperatives. If you do apply these recommendations, you are sure to be amongst health care leaders when it comes to optimal cybersecurity.