HHS Task Force Report: Healthcare Cybersecurity is in Critical Condition
The Department of Health and Human Services (HHS) Health Care Industry Cybersecurity Task Force, which was formed last year following passage of the Cybersecurity Act of 2015, issued its final report to Congress June 2 with a number of recommendations to improve cybersecurity across the industry.
The report states that “healthcare cybersecurity is in critical condition,” citing a severe lack of security talent, legacy equipment that runs on old, unsupported and vulnerable operating systems, vulnerabilities that impact patient care and an epidemic of known vulnerabilities. The report, developed by Task Force members comprised of government and private industry leaders, also cited “premature and over-connectivity” as an issue contributing to the critical state of cybersecurity. “Meaningful Use requirements drove hyper-connectivity without secure design and implementation,” the report authors wrote.
The Task Force is composed of 21 private and government leaders considered experts in healthcare cybersecurity. The Task Force held public meetings and consulted with other experts over the past year in order to develop recommendations to address the growing challenge posed by cyberattacks.
In the report issued to Congress, the Task Force emphasized that healthcare cybersecurity issues as patient safety issues, and the findings call for a collaborative public and private sector effort to protect the healthcare system and patients from cyber threats.
The Health Information Trust Alliance (HITRUST) a issued a statement praising the HHS Health Care Industry Cybersecurity Task Force’s report for bringing attention to security issues within the healthcare industry.
“The report makes clear that there are many steps which public and private partners must take to continue this progress. An important first step is to leverage the work HITRUST has done in developing a healthcare specific security and privacy framework (the HITRUST CSF) and fully support the work the Healthcare and Public Health Sector Coordinating Council (HPH-SCC) has completed (with HITRUST) in developing a healthcare specific implementation guide of the NIST Framework,” the organization stated.
Further, HITRUST wrote, “While the report highlights a number of shortfalls in the industry, the fact remains that companies must continue to invest in security and risk management and move from a compliance to risk management mindset.”
The Task Force report sets out six imperatives to improve cybersecurity, including improving information sharing of industry, threats, risks and mitigations and increasing health care industry readiness through improved cybersecurity awareness and education.
With regard to improving information sharing, the Task Force recommends streamlining information sharing for quick and efficient consumption, especially for small and medium-size organizations and providing security clearance for more members of the health care community to gain access to threat information.
The report also calls for defining and streamlining leadership, governance and expectations for health care industry cybersecurity. To this end, the Task Force recommends creating a cybersecurity leader role within HHS to align industry-facing efforts for health care cybersecurity as well as establishing a consistent, consensus-based healthcare-specific Cybersecurity Framework.
The report authors wrote, “Although NIST (National Institute of Standards and Technology) has developed a generic framework, health care (like other sectors) has many unique aspects such as its diverse resource capabilities, legacy systems that will persist for years, and the burden of the need to have low barriers for sharing of data that is essential for collaborative patient-oriented care. The framework should build upon the minimum standard of security required by the NIST Cybersecurity Framework and the HIPAA Security Rule to promote a single lexicon for health care sector as well as standards, guidelines, and best practices. The complex environment requires certain basic standards that all stakeholders must meet and guidelines that allow flexibility for select issues. Without this framework, any of the countless constituents may pose a risk to the health care ecosystem.”
The Task Force also calls for increasing the security and resilience of medical devices and health IT, with more specific recommendations including securing legacy systems, improving manufacturing and development transparency among developers and users and increasing adoption and rigor of the secure development lifecycle (SDL) in the development of medical devices and electronic health records (EHRs).
The Task Force also calls for establishing a Medical Computer Emergency Readiness Team (MedCERT) to coordinate medical device-specific responses to cybersecurity incidents and vulnerability disclosures.
The Task Force report findings also address healthcare cybersecurity workforce issues as one of the six imperatives is to develop the healthcare workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities. To this end, the Task Force recommends that every organization identify the cybersecurity leadership role for driving more robust cybersecurity policies, processes and functions with clear engagement from executives. And, the Task Force suggests establishing a model for adequately resourcing the cybersecurity workforce with qualified individuals.
“The prospect of supplying even one dedicated resource per organization currently looks daunting; however, managed services and contracted external resources/partners can enhance cybersecurity capability and services,” the report authors wrote, citing the example of the state of California starting the first safe patient ratio staffing system for registered nurses. That program evolved from a critical need to protect patients, nurses and health delivery organizations. “We find ourselves in a similar situation regarding cybersecurity,” the report authors wrote. “There is a need to determine a similar acceptable ratio of health care cybersecurity expertise to the size of the organization, complexity of care, degree of interconnectedness with other organizations, etc. The larger the organization, the more security professionals are required.”
To address the workforce gap, the Task Force also advises examining the impact of the Stark Law and Anti-Kickback regulations as well as leveraging managed security service providers (MSSPs) to develop a business and security model.
One of the six imperatives is to identify mechanisms to protect R&D efforts and intellectual property from attacks and exposure.
In a blog post, Steve Curren, director of the division of resilience in the Office of the Assistant Secretary for Preparedness and Response’s (ASPR) Office of Emergency Management, wrote about the Task Force report, “Today, much of healthcare is delivered by smaller practices and rural hospitals that may not have the resources to protect against these threats. Unfortunately, these organizations often do not possess the infrastructure to identify and track threats, lack the technical capacity to analyze the threat data they receive in order to quickly translate it into actionable information, and lack the capability to act on that information.
Further, Curren wrote, “The Office of the Assistant Secretary for Preparedness and Response understands that healthcare facilities are facing these challenges right now and we have developed a collection of peer-reviewed resources on cybersecurity to help healthcare industry stakeholders better protect against, mitigate, respond to, and recover from cyber threats, in order to better defend patient safety and operational continuity.
“As called for by the Cybersecurity Information Sharing Act of 2015 the HHS Secretary is sharing educational materials on cybersecurity, including the Task Force’s report and appendix, with industry stakeholders to improve preparedness for and response to cybersecurity threats. The Health Care Industry Cybersecurity Task Force’s report contains valuable recommendations to help improve cybersecurity throughout the healthcare sector that ultimately could better protect patient care and public health,” Curren wrote.