Last week, SearchHealthIT discussed how the Health Care Industry Cybersecurity Task Force declared cybersecurity a public health issue. This week, SearchHealthIT takes an in-depth look at the six imperatives laid out by the cybersecurity task force.
The Health Care Industry Cybersecurity Task Force (HCIC Task Force), created by Congress as part of the landmark Cybersecurity Act of 2015, gathered information from external stakeholders and subject matter experts from across the healthcare industry, as well as other sectors, to better understand what changes need to be made and what goals need to be achieved in order to improve cybersecurity in healthcare.
In a report, they list six cybersecurity imperatives:
Better define leadership, governance, and expectations for healthcare cybersecurity
There are many opportunities for confusion when it comes to cybersecurity in healthcare, the report said.
“The technical infrastructure underlying health systems is inordinately complex. It must support not only patient records but also a diverse suite of medical devices used in diagnosing, monitoring, and treating patients,” the report said. “Understanding and managing cybersecurity risks for this mission-critical environment is challenging as the healthcare system has a mixture of state-of- the-art applications and devices, as well as older legacy devices that use unsupported operating systems or networking protocols.”
Furthermore, there are multiple frameworks for addressing cyber risk, the report said. This only adds to the confusion and the opportunity for vulnerability.
Because of these complexities and confusions, the cybersecurity task force said in their report that a consistent cybersecurity framework is needed.
The task force also recommended creating a cybersecurity leadership role within HHS.
Increase the security and resilience of medical devices
The report explains that there is a misalignment when it comes to medical devices and other healthcare technologies. For example, operating systems and other platforms such as commercial off-the-shelf software are misaligned with medical devices and electronic health records (EHRs), which can be utilized for 10 to 20 years or more.
“Some foundational challenges that will need to be addressed in order to enhance the cybersecurity of medical devices and EHRs include legacy operating systems, secure development lifecycle, strong authentication, and strategic and architectural approaches to product deployment, management, and maintenance on hospital networks,” the report said.
Develop healthcare workforce to prioritize cybersecurity
The cybersecurity task force said in their report that there are several challenges to creating a healthcare workforce that will prioritize cybersecurity:
- Finding people and tools to address the small and medium-sized healthcare organizations which usually can’t afford full-time technical resources.
- Limited resources for reinvestment in cybersecurity, especially for small and medium-sized organizations.
- Identifying cybersecurity leadership roles to identify risk.
- The growing involvement of patients in their own care also increases the exposure to threats.
Improve cybersecurity awareness and education
The report suggests three action steps the healthcare industry should take to achieve awareness and education:
- “Increase outreach for cybersecurity across all members of the health care workforce through ongoing workshops, meetings, conferences, and tabletop exercises.
- “Provide patients with information on how to manage their health care data by developing consumer grading systems for non-regulated health care services and products.
- “Develop cyber literacy programs to educate decision makers, executives, and boards of directors about the importance of cybersecurity education.”
Identify mechanisms for protecting from attacks and exposure
The Task Force recommends doing this by developing guidance for the industry on creating economic impact analysis and loss for cybersecurity risk, and researching how to protect healthcare big data sets.
Improve sharing information about industry threats, risks, and mitigations
“Together, industry and government should work together to ensure that the best resources are leveraged from the various systems and tailored toward the unique needs of health care while protecting privacy and maintaining appropriate legal protections,” the report said.