Healthcare Industry Cybersecurity Task Force Releases Report

Healthcare Industry Cybersecurity Task Force Releases Report

Share on LinkedIn
Share on Facebook
Tweet Me
Subscribe to Withum News
The Healthcare Industry Cybersecurity Task Force, in June 2017, released its report entitled “Report on Improving Cybersecurity in the Health Care Industry” (“Report”).  The Report was written through the efforts of a 21-member Cybersecurity Task Force (“Task Force”).

In its letter to members of the U.S. Senate and House of Representatives included in the Report, the Task Force stated that the Cybersecurity Act of 2015 “provided a much-needed opportunity to convene public and private sector subject matter experts to spend the last year discussing and developing recommendations on the growing challenge of cyber-attacks targeting health care”.

Background

Because cybersecurity issues in the healthcare industry are becoming a greater concern with each passing day, the Task Force was established by the Cybersecurity Act of 2015 and was formed with the purpose of educating and bringing awareness relative to cybersecurity to the healthcare industry.  The Task Force includes members from the federal government, hospitals, insurers, patient advocates, security researchers, pharmaceutical companies, medical device manufacturers, health information technology developers and vendors and laboratories.  The Task Force provides, in its Report, recommendations and responses to healthcare organizations regarding measures to be taken to protect information and react to a cyber-attack, such as ransomware attacks and identity theft.

In general, cybersecurity can defined as the body of technologies, processes and practices designed to protect connected computer networks, networked medical devices, programs and data from attack, damage or unauthorized access. As indicated in the Report, “Health care data may be used for a variety of nefarious purposes including fraud, identity theft, supply chain disruptions, the theft and sale of proprietary information, stock manipulation, and disruption of hospital systems and patient care. A significant challenge and vulnerability for providers, hospitals, pharmaceutical manufacturers, and laboratories includes the ever-increasing volume of connected medical devices and automated medication delivery systems, which, if not protected, could pose a risk to patient safety.”  In working to draft the Report, the Task Force identified “critical” areas for discussion including, but not limited to, the following:

  • Who from the federal government provides cybersecurity leadership and coordinates the preparedness and response for cybersecurity incidents for the health care sector?
  • How does industry organize itself to oversee and promote health care cybersecurity priorities and share information?
  • How does the sector leverage the NIST Cybersecurity Framework, or other frameworks, as a standard to measure itself, as well as to design and implement risk management practices?
  • What impact does the diversity of regulations have on the ease of adoption of cybersecurity practices or the ability of industry members to collaborate on cybersecurity issues?
  • How do legacy systems (including medical devices, electronic health records, etc.) affect health care industry cybersecurity and how can these systems be made more resilient?
  • What are the cybersecurity challenges facing small and rural organizations?

The Report

The Secretary of Health and Human Services, in working with the Director of the National Institute of Standards and Technology and the Secretary of Homeland Security also used healthcare industry representatives to work with the Task Force in identifying areas of concern regarding cybersecurity and the healthcare industry.

Section 405(c) of the Cybersecurity Act of 2015 required the Task Force to accomplish the following six tasks in developing the Report:

a) – Analyze how industries, other than the health care industry, have implemented strategies and safeguards for addressing cybersecurity threats within their respective industries;

b) – Analyze challenges and barriers private entities (excluding any State, tribal, or local government) in the health care industry face securing themselves against cyber-attacks;

c) – Review challenges that covered entities and business associates face in securing networked medical devices and other software or systems that connect to an electronic health record

d) – Provide the Secretary with information to disseminate to health care industry stakeholders of all sizes for purposes of improving their preparedness for, and response to, cybersecurity threats affecting the health care industry;

e) – Establish a plan for implementing title I of this division, so that the Federal Government and health care industry stakeholders may in real time, share actionable cyber threat indicators and defensive measures; and

f) – Report to the appropriate congressional committees on the findings and recommendations of the task force regarding carrying out subparagraphs (a) through (e).

In developing the Report, the Task Force gathered information in a variety of ways including public meetings, briefings and consultations with experts, internal Task Force meetings and responses to blog posts.  The Task Force developed recommendations and action items to increase cybersecurity in the healthcare industry and identified six “high-level imperatives” which the they used to organize these recommendations and action items.  As outlined in the Report, these imperatives include:

1 – Define and streamline leadership, governance, and expectations for healthcare industry cybersecurity;

2 – Increase the security and resilience of medical devices and health IT;

3 – Develop the healthcare workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities;

4 – Increase health care industry readiness through improved cybersecurity awareness and education;

5 – Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure; and

6 – Improve information sharing of industry threats, weaknesses and mitigations.

The Task Force’s recommendations and action items for each of the imperatives listed above are outlined in detail in the Report.

Conclusion

The imperatives developed by the Task Force in its Report show that patient safety can be a significant concern when dealing with cybersecurity issues.  The Task Force states in its letter that “As health care becomes increasingly dependent on information technology, our ability to protect our systems will have an ever greater impact on the health of the patients we serve. While much of what we recommend will require hard work, difficult decisions, and commitment of resources, we will be encouraged and unified by our shared values as health care industry professionals and our commitment to providing safe, high quality care.”

Health care data is vulnerable.  As stated above and in the Report, data collected for patients and for developing new treatments can be used for alternative purposes such as fraud, identity theft, supply chain disruptions, theft of research and development stock manipulation and patient care.  It is more important now more than ever for healthcare organizations to be aware of the multitude of cybersecurity issues that exist and take whatever precautions necessary to avoid a cyber-attack.

The Department of Health and Human Services Office for Civil Rights has developed a “Quick Response Checklist” for organizations that have experienced a cyber-attack.

Do you know how secure you are in the event of a cyber attack? Here is a cybersecurity checklist that Withum developed to provide you a basis for your cybersecurity conversations. For any questions or more information, fill out the form below and one of our experts will reach out to you.

Here is a copy of the Report and the Checklist can both be accessed below.

Ask Our Experts

Previous Post

Next Post