Healthcare Cybersecurity Task Force Recommends New Ways to Protect from Cyberattacks.
Last year HHS established the Health Care Industry Cybersecurity Task Force following the passage of the Cybersecurity Act of 2015. The Task Force was composed of government and private industry leaders who are innovators in technology and leaders in healthcare cybersecurity. The Task Force held public meetings and consulted with other experts over the past year in order to develop recommendations to address the growing challenge posed by cyberattacks. Included in those recommendations is a call for a healthcare-specific cybersecurity framework.
The report also called for the HHS Secretary to name and resource a cybersecurity leader for sector engagement, who would work with federal, state and industry partners. The leader would create a plan to establish cybersecurity priorities, report to other federal agencies and coordinate with the U.S. and international intelligence agencies.
On June 2, 2017, the Health Care Industry Cybersecurity Task Force released the “Report on Improving Cybersecurity in the Health Care Industry” to Congress. In this report, it highlights the charge of the task force, the key findings, and details of the six identified “key imperatives” which contain over 100 recommendations in response to these imperatives that will bolster cybersecurity in the healthcare industry.
The Charge of Task Force:
- Analyzing how other industries have implemented strategies and safeguards for addressing cybersecurity threats within their respective industries;
- Analyzing challenges and barriers private entities (excluding state and federal governments) in the healthcare industry face securing themselves against cyber-attacks;
- Reviewing challenges that covered entities and business associates face in securing networked medical devices and other software or systems that connect to an EHR;
- Providing the Department of Health and Human Services (HHS) with information to disseminate to healthcare industry stakeholders of all sizes for purposes of improving their preparedness for and response to cybersecurity threats affecting the industry;
- Establishing a plan for implementing cyber threat information sharing so that the federal government and healthcare industry stakeholders may in real time share actionable cyber threat indicators and defensive measures;
- Reporting to appropriate Congressional Committees on the findings and recommendations of the task force.
- An industry in need of urgent action.
- All entities within the sector remain a target for bad actors, with the significant potential to jeopardize patient care and safety.
- The state of cybersecurity in healthcare must improve and coordination across providers, medical device all industry stakeholders (federal agencies, Congress healthcare providers, medical device manufacturers, accreditors, insurers, professional associations) is paramount.
- The federal government should provide additional resources and opportunities, starting with a new federal official to serve as single point of contact to the industry on Cybersecurity.
- Efforts must be undertaken to streamline and harmonize the federal requirements that may be in conflict or impeding enhanced cybersecurity hygiene.
- More can be done under capabilities to enhance the security of medical devices and electronic health records (EHRs), but provider organizations must be able to manage and administer patches and improvements.
The Task Force Identified Six Key Imperatives:
- Define and streamline leadership, governance, and expectations for healthcare industry cybersecurity.
- Increase security and resilience of medical devices and health IT.
- Develop the healthcare workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
- Increase health care industry readiness through improved cybersecurity awareness and education.
- Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure.
- Improve information sharing of industry threats, risks, and mitigations.
Each imperative includes a set of recommendations and associated action items for implementing the recommendation. Recommendations target the federal government, regulatory and legislative entities, healthcare industry stakeholders, and public/private partnerships. Coordination across the public and private sectors will be critical to accomplishing these goals. Once implemented, the recommendations will help to increase awareness, manage threats, reduce risks and vulnerabilities, and implement protections not currently present across a majority of the healthcare industry.