The HHS Health Care Industry Cybersecurity Task Force issued a report to Congress last Friday. The lengthy document keys in on the current state of cybersecurity in the U.S. healthcare system and gives multiple recommendations for how to solve this ever-growing threat.
The 21 members of the task force found healthcare cybersecurity is “in critical condition.” Not only is there a severe lack of security talent in the sector, but many organizations are also running on legacy equipment.
This isn’t altogether astonishing. There seems to be a new data breach in healthcare nearly every day. In fact, Protenus found there were 39 breach incidents in March alone, consisting of 1.5 million breached patient records.
To go about improving these security-related problems, the task force developed a list of six significant imperatives. The imperatives include:
- Defining and streamlining governance and expectations for cybersecurity
- Increasing the security of medical devices
- Creating the workforce capacity necessary to prioritize cybersecurity awareness
- Increasing readiness via cybersecurity awareness and education
- Finding ways to protect R&D efforts and intellectual property from attacks
- Improving information sharing of threats and weaknesses
The report goes on to chronicle a marathon list of more than 100 recommendations and action items, all of which fall under the six imperatives.
These recommendations include everything from creating a cybersecurity leader role within HHS to pursuing research into protecting healthcare big data sets. Other recommendations are securing legacy systems; establishing a Medical Computer Emergency Readiness Team (MedCERT); developing managed security service provider models; providing patients with information on how to manage their healthcare data; and providing security clearances for members of the healthcare community.
In addition to the report, Steve Curren, director of the division of resilience in ASPR’s Office of Emergency Management, succinctly summed things up in an HHS blog post, claiming the report “emphasizes that healthcare cybersecurity issues are patient safety issues, and calls for a collaborative public and private sector effort to protect our healthcare systems and patients from cyber threats.”
In an email sent to MedCity, an HHS spokesperson commented on the implications of the report:
HHS takes the issue of cybersecurity seriously and stopping malicious cyber activity like the recent “WannaCry” ransomware attack is a top priority. That is why HHS has led a broad strategy to enhance the Department’s cybersecurity to make our data and systems as safe as they can be and to support the private sector in preparedness and response to large breaches. We understand that patients may be concerned regarding recent cyber incidents. It is important to remember that the benefits of seeking care almost always outweigh any potential cybersecurity risk.
Despite all this talk, the question remains: Will we see these recommendations come to fruition? And if so, when?
Photo: Epoxydude, Getty Images