HHS task force says healthcare cybersecurity in 'critical condition'
U.S. healthcare organizations are severely flawed when it comes to cybersecurity and lags other sectors in safeguarding systems and sensitive information, the U.S. Department of Health and Human Services’ said Friday in its long-awaited Health Care Industry Cybersecurity Task Force report.
Although the healthcare industry is working toward modernizing its IT systems and building security, the failures carry very high risk since the information these organizations hold is often the most private.
“What we consistently encountered was a strategic pitfall in cybersecurity environment,” said Atlantic Council Director of the Cyber Statecraft Initiative and HHS Cybersecurity Task Force member Josh Corman. “Healthcare cybersecurity is in critical condition.”
To combat this, the task force identified six key imperatives: Define and streamline leadership, governance and expectations for healthcare cybersecurity; improve medical device and health IT security and resilience; develop the necessary healthcare workforce capacity to prioritize and ensure cybersecurity awareness and technical capabilities; increase industry readiness with better cybersecurity awareness and education; identify mechanisms to protect research and development efforts and intellectual property from attacks and exposures; and improve data sharing of industry threats, risks and mitigation.
Specifically, healthcare staffing issues have become so dire that three out of four hospitals don’t have a designated security person and have been forced to get creative with security needs.
In 2015, the healthcare industry experienced more breaches stemming from cyberattacks than any other industry, the report found. And the rise of ransomware in 2016 has only compounded the issue.
Adding to these risks is the flawed perception of small organizations that only large hospitals are being targeted by cybercriminals, and the task force found this is not the case. In fact, all healthcare organizations, no matter the size are being targeted due to the value and sensitivity of healthcare data.
“Less mature entities have yet to understand or implement these protections due to a lack of awareness, financial resources or staff,” the report authors said.
“Given the interconnectivity and diversity within the sector, the interdependency of subsectors on one another, and the disparity between organizations’ ability to address cybersecurity issues, healthcare as a whole will only be as secure as the weakest link,” they said.
The report -- compiled by 21 cybersecurity experts -- contains over 100 recommendations in response to these imperatives that will bolster cybersecurity in the healthcare industry. Included in those recommendations is a call for a healthcare-specific cybersecurity framework.
The report also called for the HHS Secretary to name and resource a cybersecurity leader for sector engagement, who would work with federal, state and industry partners. The leader would create a plan to establish cybersecurity priorities, report to other federal agencies and coordinate with the U.S. and international intelligence agencies to bolster the Vulnerability Equities Process.
HIMSS applauded the report, which it feels “emphasized the themes put forward in the HIMSS Cybersecurity Position Statement from September 2016, which recommended adopting a universal information privacy and security framework for the health sector, creating an HHS cyber leader role, and addressing the shortage of qualified cybersecurity professionals.”
“HIMSS also appreciates the focus from the Task Force on promoting the greater sharing of threat information across the entire community, and tailoring information sharing for easier consumption by small and medium-size organizations,” officials said in a statement. “HIMSS stands ready to continue to work with HHS to increase healthcare industry readiness through improved cybersecurity awareness and education.”