Report: Health care cybersecurity unprepared and under threat

About Rebecca Vesely

Rebecca Vesely is AHCJ's topic leader on health information technology and a freelance writer. She has written about health, science and medicine for AFP, the Bay Area News Group, Modern Healthcare, Wired, Scientific American online and many other news outlets.

Photo by jfcherry via Flickr

The first rule of health care cybersecurity is you don’t talk about health care cybersecurity.

In reporting on cybersecurity threats, journalists will likely encounter resistance from hospitals, health systems and health insurers to speaking publicly about their readiness and strategies around cybersecurity.

It’s a natural response, as they fear any public information about their tactics could open them up to a targeted attack.

That makes it tough for journalists to get a sense of the capabilities of health providers and payers in their communities in fending off a cyber attack.

So the highly anticipated June 2 final report to Congress on improving cybersecurity in the health care industry, by the Health Care Industry Cybersecurity Task Force, is a helpful guide for reporters to know where the industry stands on the threats they face.

To be brief, it’s not good.

Lack of funding for cybersecurity; staffing shortages of information security professionals; poor infrastructure to track threats; difficult-to-replace legacy and vulnerable computer systems; and inaccurate assumptions about risks are all areas identified in the report as big problems facing health organizations.

The task force, comprising 21 private industry and government leaders, formed in 2016 as required by the Cybersecurity Act of 2015. The task force held public meetings and consulted with stakeholders across the health care spectrum over the past year to develop the 96-page report.

The task force identified six imperatives for the industry:

  1. Define and streamline leadership, governance, and expectations for health care industry cybersecurity.
  2. Increase the security and resilience of medical devices and health IT.
  3. Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
  4. Increase health care industry readiness through improved cybersecurity awareness and education.
  5. Identify mechanisms to protect R&D efforts and intellectual property from attacks or exposure.
  6. Improve information sharing of industry threats, risks and mitigations.

The task force made many recommendations for each imperative. These include:

  1. Create a cybersecurity leader role within HHS to align industry-facing efforts for health care cybersecurity.
  2. Improve manufacturing and development transparency among developers and users.
  3. Require strong authentication to improve identity and access management for health care workers, patients, and medical devices/EHRs.
  4. Establish a Medical Computer Emergency Readiness Team (MedCERT) to coordinate medical device-specific responses to cybersecurity incidents and vulnerability disclosures.
  5. Every organization must identify the cybersecurity leadership role for driving for more robust cybersecurity policies, processes, and functions with clear engagement from executives.
  6. Establish a model for adequately resourcing the cybersecurity workforce with qualified individuals.
  7. Provide patients with information on how to manage their health care data, including a cybersecurity and privacy grading system for consumers to make educated decisions when selecting services or products.
  8. Provide security clearances for members of the health care community.

Are these goals achievable? See the following recent reporting for more on the task force report and industry response:

And here are some terms to get familiar with:

Leave a Reply