Federal Health Care Cybersecurity Task Force Issues Recommendations for Industry

TOPICS:

Posted By: Roberta Mullin June 13, 2017

By David Harlow, JD MPH, Principal, The Harlow Group LLC
Twitter: @healthblawg
Host: HIPAA Chat! Register for the next broadcast.

The Health Care Industry Cybersecurity Task Force has issued its Report on Improving Cybersecurity in the Health Care Industry.

The task force’s mandate was quite broad:

  • Analyze how other industries have implemented strategies and safeguards to address cybersecurity threats;
  • Analyze challenges and barriers the health care industry encounters when securing itself against cyber-attacks;
  • Review challenges to secure networked medical devices and other software or systems that connect to an electronic health record;
  • Provide the Secretary with information to disseminate to health care industry stakeholders to improve their preparedness for, and response to, cybersecurity threats;
  • Establish a plan to create a single system for the Federal Government to share actionable intelligence regarding cybersecurity threats to the health care industry in near real time for no fee; and
  • Report to Congress on the findings and recommendations of the task force.

The report contains 100 recommendations (overall categories, or broad “imperatives,” and certain specific recommendations are highlighted here), but begins with the diagnosis: the patient is in critical condition, there is a severe lack of security talent, the system relies on vulnerable legacy equipment, Meaningful Use has driven the system prematurely into an “over-connected” state, the vulnerabilities have a direct impact on patient care, and there is an epidemic of known vulnerabilities across legacy health care technologies currently in use.

Against this backdrop, it is clear that a tremendous level of commitment will be required in order to address the crisis: high-level leadership, public and private sector financial resources, central coordination of efforts, legislative and regulatory changes to permit pooling of resources without fraud and abuse (anti-kickback) concerns, and more. These foundational elements will be needed in order to execute on the recommendations in the report across the broad categories outlined by the report’s six “imperatives:”

  1. Define and streamline leadership, governance, and expectations for health care industry cybersecurity.
  2. Increase the security and resilience of medical devices and health IT.
  3. Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
  4. Increase health care industry readiness through improved cybersecurity awareness and education.
  5. Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure.
  6. Improve information sharing of industry threats, weaknesses, and mitigations.

None of these is susceptible to a quick fix, and it is difficult to imagine the seismic shifts in the industry that would be required — cultural, financial, technical — occurring quickly or smoothly. Indeed, the task force sees the need to create a healthcare-specific version of the NIST cybersecurity framework. (The current framework is recognized under the HIPAA Security Rule as a key standard; recognition of a new framework would not necessarily require amendments to the Security Rule.) That alone will take a while. The rest of the 100 action items are similarly long-term recommendations.

Related: HIPAA Chat with Task Force member David Finn of Symantec

Meanwhile, cyberattacks will continue. Breaches due to human error will continue. Avarice will continue to drive more security breaches, including DDOS and ransomware attacks.

Recognizing this fact of life, OCR released a “quick response” cyber attack checklist and infographic.

A commitment to change on the scale required in order to combat the threat at hand demands strong leadership of a kind that we are not currently seeing in Washington. But solutions to this pervasive problem cannot be imposed top-down. A commitment to change at the individual health care provider, health care payor, health care device manufacturer level is ultimately required in order for the risks to be mitigated. This will require strong leadership — prompted, perhaps, by rules and regulations, and by the threat of fines, but ultimately driven by the mission to provide the best possible care, because it’s the right thing to do, and an understanding that addressing cybersecurity is not a one-time effort but, rather, a continual process. And as we’ve seen in other arenas, doing the right thing often results in lower costs and higher quality (think handwashing and healthcare-acquired infections). If cybersecurity is not encoded in the health care community’s organizational DNA by dint of the efforts of strong leaders at the local level, then it is difficult to see a future state that includes bringing these threats under control.

This article was originally published on HealthBlawg and is republished here with permission.