- In the wake of the Health Care Industry Cybersecurity Task Force releasing its report to Congress, the healthcare industry has largely had a positive reaction to the report’s recommendations on how to protect against evolving threats.
The report highlighted six key imperatives, along with corresponding recommendations and action items, and also stressed the importance of the private and public sectors working together.
For example, the Task Force said medical device security and resilience must be improved and that the healthcare workforce capacity must be developed “to prioritize and ensure cybersecurity awareness and technical capabilities.”
Improved information sharing will also help identify potential threats, risks, and mitigations.
Task Force member and HITRUST Board Member Roy Mellinger explained in a statement that being able to protect IT systems will have an even greater impact on patients as healthcare continues to depend on IT.
“While the report highlights a number of shortfalls in the industry, the fact remains that companies must continue to invest in security and risk management and move from a compliance to risk management mindset,” Mellinger wrote.
He added that a healthcare-specific security and privacy framework, such as the HITRUST CSF can be greatly beneficial in this process. Furthermore, a healthcare-specific implementation guide of the NIST Cybersecurity Framework will help create stronger protections.
“…cybersecurity issues are, at their heart, patient safety issues,” Mellinger said. “As health care becomes increasingly dependent on information technology, our ability to protect our systems will have an ever greater impact on the health of the patients we serve.”
CHIME President and CEO Russell Branzell also praised the report, saying that it was rewarding to see more than 100 recommendations put forth on how to improve healthcare cybersecurity. This is especially true as the industry has long lagged behind other sectors in this area.
“Our members welcomed recommendations concerning the need for the federal government to offer incentives to encourage greater investment in cybersecurity and the need for a single point of contact within HHS on cybersecurity. CHIME members also support the recommendations concerning the need to identify gaps in device surveillance and cybersecurity, including harmonizing disparate rules like aligning the Health Insurance Portability and Accountability Act (HIPAA) guidance with the Food and Drug Administration’s (FDA) oversight of devices.”
HIMSS explained in its own statement that it had “extremely positive” first impressions of the report’s noted imperatives, recommendations, and action items.
Previously, HIMSS suggested that a universal information privacy and security framework for healthcare be adopted. It also recommended creating an HHS cyber leader role and that the shortage of qualified cybersecurity professionals be addressed.
All of these points were discussed in the Task Force report.
“HIMSS also appreciates the focus from the Task Force on promoting the greater sharing of threat information across the entire community, and tailoring information sharing for easier consumption by small and medium-size organizations,” the statement read. “HIMSS stands ready to continue to work with HHS to increase health care industry readiness through improved cybersecurity awareness and education.”
The AHA also applauded the report, adding that it was looking forward to review it even more closely.
“This report comes at an important time and the recommendations will facilitate discussion of needed steps to further protect our interconnected health information systems, from the smallest physician office to the largest insurer,” AHA Vice President of Policy Chantal Worzala said in a statement.
“While cyber threats will continue against the health care field, we will continue to work with the federal government, policymakers, law enforcement, partners in the private sector, and hospitals and health systems to mitigate risk and protect the information of patients.”