Unbeknownst to many, Congress established the Health Care Industry Cybersecurity Task Force in 2015 to address the health care industry's cybersecurity challenges. That Task Force--a combination of public and private participants--released a report last week describing U.S. healthcare cybersecurity as being in "critical condition." This conclusion, while disheartening, shouldn't be surprising to readers of this blog. We've blogged about a range of cybersecurity issues affecting health care, from the potential hacking of medical devices with deadly consequences, to ransomware attacks that threaten to shut down hospitals.
The report, which runs nearly 100 pages, identifies the following six high-level imperatives around which the Task Force organizes its recommendations and action items for shoring up the health care cybersecurity landscape:
- Define and streamline leadership, governance, and expectations for health care industry cybersecurity.
- Increase the security and resilience of medical devices and health IT.
- Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
- Increase health care industry readiness through improved cybersecurity awareness and education.
- Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure.
- Improve information sharing of industry threats, weaknesses, and mitigations.
Note: We have extracted the full list of imperatives, recommendations and action items, which can be found here.
The report contains targeted action items like the creation of a cybersecurity leadership role within the U.S. Department of Health & Human Services and the amendment of fraud and abuse laws to allow organizations to help physicians acquire cybersecurity software. But the report also contains more sweeping goals. For example, the Task Force recommends the establishment of a consistent, consensus-based health care specific Cybersecurity Framework, and points to the NIST Cybersecurity Framework and the HIPAA Security Rule as a foundation on which this new framework could be built. The goal, according to the Task Force, should be to promote a "single lexicon" for the health care sector. A tall order, indeed.
According to the report, recent high profile breaches are spurring industry education of cybersecurity matters, a step that is surely needed before we can develop a cybersecurity lingua franca:
With the exception of IT security personnel, many providers and other health care workers often assume that the IT network and the devices they support function efficiently and that their level of cybersecurity vulnerability is low. Recent high-profile incidents, such as ransomware attacks and large-scale privacy breaches, have shown this vulnerability assumption to be false and provided an opportunity to increase education and awareness about the benefits of cybersecurity in the health care community. Moreover, recent ransomware incidents have also highlighted how patient care at health care delivery organizations can be interrupted due to a system compromise. Members of the health ecosystem reported that prior to these breaches many security professionals had difficulty demonstrating the importance of cyber protections to organizational leadership, including how risk mitigation can save money and protect against reputational damage in the long-term. Making the decision to prioritize cybersecurity within the health care industry requires culture shifts and increased communication to and from leadership, as well as changes in the way providers perform their duties in the clinical environment.
For those wishing to educate themselves further on these matters, we recommend exploring a common theme throughout the report: the NIST Cybersecurity Framework. It has become the gold standard for guiding private sector companies in preventing, detecting and responding to cyber attacks. It is estimated that 30% of U.S. organizations use the framework, a number that is predicted to rise to 50% by 2020. And for those wondering how to reconcile the NIST Cybersecurity Framework with the HIPAA Security Rule, HHS has published a crosswalk that can help inform an entity's risk management program.