- Evolving healthcare cybersecurity threats are posing even greater risks to the industry, which is why the Health Care Industry Cybersecurity Task Force published a report to “address the growing challenge posed by cyberattacks.”
These threats pose significant patient safety issues, and require both the public and private sector to work together to ensure that healthcare systems and patients remain protected, according to ASPR Office of Emergency Management Director of Division of Resilience Steve Curren.
“Today, much of healthcare is delivered by smaller practices and rural hospitals that may not have the resources to protect against these threats,” Curren wrote in an HHS blog post. “Unfortunately, these organizations often do not possess the infrastructure to identify and track threats, lack the technical capacity to analyze the threat data they receive in order to quickly translate it into actionable information, and lack the capability to act on that information.”
The Task Force was created under the Cybersecurity Information Security Act of 2015, with representatives selected by the Secretary of Health & Human Services, in coordination with the Department of Homeland Security and the National Institutes of Standards and Technology.
The Task Force highlighted six imperatives in its report to Congress, along with recommendations for best courses of action to make improvements.
- Define and streamline leadership, governance, and expectations for healthcare industry cybersecurity
- Increase the security and resilience of medical devices and health IT
- Develop the healthcare workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities
- Increase healthcare industry readiness through improved cybersecurity awareness and education
- Identify mechanisms to protect R&D efforts and intellectual property from attacks or exposure
- Improve information sharing of industry threats, risks, and mitigations
Task Force Co-Chairs Emery Csulak and Theresa Meadows, who are CMS CISO and Senior Official for Privacy and Cook Children’s Health Care System Senior VP and CIO, respectively, underlined the need for a unified effort in the report.
“As health care becomes increasingly dependent on information technology, our ability to protect our systems will have an ever greater impact on the health of the patients we serve,” the duo explained. “While much of what we recommend will require hard work, difficult decisions, and commitment of resources, we will be encouraged and unified by our shared values as health care industry professionals and our commitment to providing safe, high quality care.”
A deep, digital connectivity is necessary for delivery safe and effective care, the report stated. A connected, but insecure network will increase patient safety issues and potentially force individuals to choose between connectivity and security.
“Real cases of identity theft, ransomware, and targeted nation-state hacking prove that our health care data is vulnerable,” the Task Force wrote. “Data collected for the good of patients and used to develop new treatments can be used for nefarious purposes such as fraud, identity theft, supply chain disruptions, the theft of research and development, and stock manipulation.”
The Task Force also contended that the public-private partnership that helped develop the report itself showed a great opportunity to address the current cybersecurity concerns. It was extremely helpful to have the federal and private sector working together, the report stated.
“Therefore, we believe the establishment of an ongoing public-private forum would serve to enhance cybersecurity discussions and protections as a critical component for the health care industry to increase patient safety,” the report authors said.
For the investigation, the Task Force received briefings and consultations from experts from other critical infrastructure sectors. These covered a wide array of topics to understand strategies and safeguards for addressing cybersecurity threats.
It was noted that many healthcare organizations would likely have to choose between two different, but both very important options when it comes to improving their cybersecurity. For example, an entity may have to choose between procuring new security technologies and related subject matter expertise or purchasing new ventilators and hiring nurses.
“A significant challenge and vulnerability for providers, hospitals, pharmaceutical manufacturers, and laboratories includes the ever-increasing volume of connected medical devices and automated medication delivery systems, which, if not protected, could pose a risk to patient safety,” report authors stated.
“The Task Force discussions highlighted the benefits of engaging in focused conversations between stakeholders across the health care industry; the Task Force encourages the continued coordination and cooperation between industry and the federal government.”