Following a year of research, the Task Force in June released its Report on Improving Cybersecurity in the Health Care Industry to Congress. The report organizes its recommendations and action items around six high-level imperatives.
Didn't have time to read all 88 pages of the report? Here's a summary of the six imperatives, along with recommendations and action items for each:
1. Define and streamline leadership, governance, and expectations for health care industry cybersecurity.
The Task Force calls for a heath care-specific cybersecurity framework that can be applied consistently across the sector, the creation of a cybersecurity leader role within HHS to coordinate and align health care cybersecurity activities, and the identification of governance models that can be scaled to organizations of all sizes and types. It also recommends federal agencies harmonize laws and regulations that affect health care industry cybersecurity, since such laws are often inconsistent and unnecessarily burdensome, distracting HCOs from prioritizing risk-based planning.
2. Increase the security and resilience of medical devices and health IT.
The Task Force identifies the need to secure legacy medical devices and EHR applications, employ strong authentication processes to bolster identity and access management, and reduce the attack surface area for medical devices, EHRs and the interfaces between these products. The report recommends the industry engage manufacturers to improve transparency around medical device components and security vulnerabilities as well as increase the adoption and effectiveness of secure development lifecycles. Finally, recognizing the patient safety implications of medical device vulnerabilities, the Task Force urges the establishment of a Medical Computer Emergency Readiness Team (MedCERT) to coordinate medical device-specific responses to cybersecurity incidents and vulnerability disclosures.
3. Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
The Task Force focuses on the need for HCOs to identify and support a cybersecurity leader, such as a Chief Information Security Officer (CISO), and establish a model for creating a qualified cybersecurity workforce by determining staffing ratios, health care cybersecurity program certification, and professional development support. The report recognizes there are limited resources on this front, and as such recommends the creation of managed security service provider (MSSP) models to support small and medium-sized health care providers and ensure they have the same security monitoring, defensive, and reporting capabilities as larger organizations.
4. Increase health care industry readiness through improved cybersecurity awareness and education.
Cybersecurity readiness involves collaboration across all members of the industry. This necessitates a cyber-aware workforce, an engaged C-suite and Board of Directors, and an informed public. The Task Force thus advocates broader cybersecurity outreach across the health care workforce, cyber literacy programs for executives and boards of directors on the importance of cybersecurity education, and consumer grading systems for non-regulated health care services and products to help patients manage their health data. The Task Force also recommends the development of an industry-wide standard posture and assessment model for cybersecurity hygiene.
5. Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure.
Through its research, the Task Force identified health care R&D as an increasingly lucrative target for intellectual property and trade secret theft. It recommends the industry develop guidance on evaluating the potential economic impact and loss for R&D cybersecurity risks and research protections for health care big data sets.
6. Improve information sharing of industry threats, weaknesses, and mitigations.
The report highlights our increasingly interconnected health care system is only as strong as its weakest link, thus necessitating improved information sharing. The Task Force recommends a broader scope and depth of information sharing across the industry, more effective mechanisms for disseminating and utilizing data, and streamlined capabilities for small and medium-sized organizations, which often rely on a limited cybersecurity staff, to consume the information.
So what does this all mean?
While the Task Force has done much of the legwork to identify areas of urgent need, necessary relevant actions, and responsible entities, it is up to stakeholders across the industry to collaborate, plan, implement, and measure progress against the report's recommendations. With national attention frequently focused on massive data breaches and disruptive, dangerous ransomware attacks against provider organizations, this report could be a peek at potential future federal regulation down the road to get the entire industry to a minimum standard in cybersecurity. Although many of the proposed actions require significant industry investment and undoubtedly will take years to solidify, the report should motivate actors across the health care sector to comprehensively address cybersecurity issues and, ultimately, protect patient data and safety.
There are steps that HCOs can take today to prepare for cybersecurity threats. We recommend HCOs:
- Engage the C-Suite and board of directors in addressing cybersecurity risk. Ensure all leaders are clear on their roles in creating a cyber-resilient organization.
- Conduct regular security awareness trainings and internal phishing campaigns within your organization. All staff should receive training and be held accountable for a pattern of behavior that puts the whole organization at risk.
- Build technology defenses related to identity and access management, cyber intelligence, cyber insurance, information sharing, and mobile device management. Remember that technology investment is necessary, but not sufficient, to reach a state of cybersecurity maturity. These investments must be accompanied by appropriate governance models that incorporate the voice of the end user.
- Focus on attracting and retaining top security talent. Recognize the demand for top security talent and promote a supportive environment for the CISO and other security personnel.