Cybersecurity Task Force Spells Out “Urgent Challenge” in Health Care

Group identifies key vulnerabilities of providers and hospitals

A long-awaited report by a federal task force has identified key cybersecurity vulnerabilities in health care and has emphasized the importance of collaboration among all stakeholders to close those gaps, according to an article posted on the Fierce Healthcare website.

In the Cybersecurity Act of 2015, Congress established the Health Care Industry Cybersecurity Task Force to address the challenges the health care industry faces when protecting itself against cybersecurity incidents.

In its June 2017 report, the task force pointed out that health care data may be used for a variety of nefarious purposes, including fraud, identity theft, supply-chain disruptions, the theft and sale of proprietary information, stock manipulation, and the disruption of hospital systems and patient care.

“A significant challenge and vulnerability for providers, hospitals, pharmaceutical manufacturers, and laboratories includes the ever-increasing volume of connected medical devices and automated medication delivery systems, which, if not protected, could pose a risk to patient safety,” the report noted.

After a year of discussion, the task force identified six imperatives that must be achieved to increase security within the health care industry:

  1. Define and streamline leadership, governance, and expectations for health care industry cybersecurity.
  2. Increase the security and resilience of medical devices and health IT.
  3. Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
  4. Increase health care industry readiness through improved cybersecurity awareness and education.
  5. Identify mechanisms to protect research-and-development efforts and intellectual property from attacks or exposure.
  6. Improve information sharing of industry threats, risks, and mitigations.

Two of the most pressing issues identified by the task force were the lack of resources available to the provider community to adequately address emerging cyberthreats and a “severe” workforce shortage.

“Today, much of health care is delivered by smaller practices and rural hospitals that may not have the resources to protect against these threats,” Steve Curren, a director in the Office of Emergency Management, wrote in a blog post. “Unfortunately, these organizations often do not possess the infrastructure to identify and track threats; lack the technical capacity to analyze the threat data they receive in order to quickly translate it into actionable information; and lack the capability to act on that information.”

The task force’s report recommended setting industry standards for the ratio of dedicated cybersecurity staff based on the size of an organization.

Another major concern identified in the report was the security of medical devices. The task force called on manufacturers to be more transparent about their ability to patch and update systems and to address security throughout each device’s lifecycle.

The report also had recommendations for the federal government, including creating a cybersecurity leadership role within the Department of Health and Human Services (HHS) that could oversee industry-wide efforts. In addition, the task force called on HHS to provide more guidance on applying the National Institute of Standards and Technology’s framework to the health care industry and to consider incentives that would allow providers to phase out old, vulnerable systems.

Sources: FierceHealthcare; June 5, 2017; and Cybersecurity Report; June 2017.