June 12, 2017. On Friday, June 2, 2017, the U.S. Department of Health and Human Services released the Report on Improving Cybersecurity in the Health Care Industry, an outcome of the Cybersecurity Act of 2015. In its blog, HHS stated: “Today, the [Health Care Industry Cybersecurity] Task Force issued their findings to Congress that demonstrate the urgency and complexity of the ever-changing cybersecurity risks facing the healthcare industry. Their report emphasizes that healthcare cybersecurity issues are patient safety issues, and calls for a collaborative public and private sector effort to protect our healthcare systems and patients from cyber threats.”
The Task Force identified six high-level imperatives—in bold below—by which to organize its recommendations and action items. The imperatives and embedded recommendations are presented below, and you may download the Report for the action steps for each recommendation:
Imperatives and Recommendations
- Define and streamline leadership, governance, and expectations for health care industry cybersecurity.
Recommendation 1.1. Create a cybersecurity leader role within HHS to align industry-facing efforts for health care cybersecurity.
Recommendation 1.2. Establish a consistent, consensus-based health care-specific Cybersecurity Framework.
Recommendation 1.3. Require federal regulatory agencies to harmonize existing and future laws and regulations that affect health care industry cybersecurity.
Recommendation 1.4. Identify scalable best practices for governance of cybersecurity across the health care industry.
Recommendation 1.5. Explore potential impacts to the Physician Self-Referral Law, the Anti-Kickback Statute, and other fraud and abuse laws to allow large health care organizations to share cybersecurity resources and information with their partners.
- Increase the security and resilience of medical devices and health IT.
Recommendation 2.1. Secure legacy systems.
Recommendation 2.2. Improve manufacturing and development transparency among developers and users.
Recommendation 2.3. Increase adoption and rigor of the secure development lifecycle (SDL) in the development of medical devices and EHRs.
Recommendation 2.4. Require strong authentication to improve identity and access management for health care workers, patients, and medical devices/EHRs.
Recommendation 2.5. Employ strategic and architectural approaches to reduce the attack surface for medical devices, EHRs, and the interfaces between these products.
Recommendation 2.6. Establish a Medical Computer Emergency Readiness Team (MedCERT) to coordinate medical device-specific responses to cybersecurity incidents and vulnerability disclosures.
- Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
Recommendation 3.1. Every organization must identify the cybersecurity leadership role for driving for more robust cybersecurity policies, processes, and functions with clear engagement from executives.
Recommendation 3.2. Establish a model for adequately resourcing the cybersecurity workforce with qualified individuals.
Recommendation 3.3. Create managed security service provider (MSSP) models to support small and medium-size health care providers.
Recommendation 3.4. Small and medium-sized health care providers should evaluate options to migrate patient records and legacy systems to secure environments (e.g., hosted, cloud, shared computer environments).
- Increase health care industry readiness through improved cybersecurity awareness and education.
Recommendation 4.1. Develop executive education programs targeting Executives and Boards of Directors about the importance of cybersecurity education.
Recommendation 4.2. Establish a cybersecurity hygiene posture with the health care industry to ensure existing and new products/systems risks are managed in a secure and sustainable fashion.
Recommendation 4.3. Establish a conformity assessment model for evaluation cybersecurity hygiene that regulatory agencies and industry could rely on, instead of a diversity of auditors.
Recommendation 4.4. The NIST Baldridge Cybersecurity Excellence Builder should be further developed: (1) specific to health care, and (2) specific to the types of health care operations that are widely deployed across the industry and have limited access to cybersecurity resources (e.g., small hospitals or practices, rural locations with limited access to security resources).
Recommendation 4.5. Increase outreach and engagement for cybersecurity across federal, state, local, tribal, territorial, and the private sector partners through an education campaign including meetings, conferences, workshops, and tabletop exercises across regions and industry.
Recommendation 4.6. Provide patients with information on how to manage their health care data, including cybersecurity and privacy grading system for consumers to make educated decisions when selecting services or products around non-regulated health care services and products.
- Identify mechanisms to protect research and development (R&D) efforts and intellectual property from attacks or exposure.
Recommendation 5.1. Develop guidance for industry and academia on creating economic impact analysis and loss for cybersecurity risk for health care research and development.
Recommendation 5.2. Pursue research into protecting health care bid data sets.
- Improve information sharing of industry threats, weaknesses, and mitigations.
Recommendation 6.1. Tailor information sharing for easier consumption by small and medium-size organizations who rely on limited or part-time security staff.
Recommendation 6.2. Broaden the scope and depth of information sharing across the health care industry and create more effective mechanisms for disseminating and utilizing data.
Recommendation 6.3. Encourage annual readiness exercises by the health care industry.
Recommendation 6.4. Provide security clearances for members of the health care community.
According to the Report, “the successful implementation of these recommendations will require adequate resources and coordination across the public and private sector. Once implemented, the recommendations will increase security for the health care industry’s organizations, networks, and associated medical devices.” Success will only occur when healthcare organizations increase their focus and invest more in resources smartly to protect their valuable electronic information assets—and that includes complying with HIPAA Privacy and Security and HITECH Act Breach Notification Rules and forthcoming guidance from HHS on cybersecurity defenses.
Toward that end, healthcare organizations’ Security Officials should acquaint themselves with ASPR Tracie: The HHS Office of Assistant Secretary for Preparedness and Response (ASPR) Resources, known as Tracie: Technical Resources (TR), Assistance Center (AC), and Information Exchange (IE). Tracie is the Healthcare Emergency Preparedness Information Gateway. The Gateway has a wealth of resources pertaining to cybersecurity matters for your organization’s review. Be sure that your organization subscribes to the listserv for alerts.