[BreachExchange] HHS Report Urges Health Care Industry to Address Cybersecurity Risks

Audrey McNeil audrey at riskbasedsecurity.com
Mon Jun 19 19:48:49 EDT 2017


http://www.jdsupra.com/legalnews/hhs-report-urges-
health-care-industry-13156/

In early June 2017, the U.S. Department of Health and Human Services (HHS)
Health Care Industry Cybersecurity (HCIC) Task Force released a “Report on
Improving Cybersecurity in the Health Care Industry” (the Report). The
Report provides six primary recommendations for government and health care
organizations to “help increase security across the health care industry.”
The Report describes the health care industry’s cybersecurity issues as
“patient safety” issues and emphasizes that all health care delivery
organizations have a greater responsibility to secure their systems,
medical devices, and patient data. The Report is particularly timely in the
wake of the ransomware attack in May that crippled hospitals and health
systems in the United Kingdom, and other businesses and industries across
the globe. Cybersecurity planning is important for all industries,
including participants in the health care delivery system – providers,
payors, pharmaceutical companies, medical device manufacturers, and vendors.

The Report describes various factors contributing to how health care
cybersecurity has become “a key public health concern that needs immediate
and aggressive attention.” Among the factors included are the need to
access patient information and share data quickly, the increasing volume of
connected medical devices, and the digitalization of patient data in
electronic health record systems (EHRs). Health care’s mission of helping
patients -- as many patients as quickly as possible – in order to avoid bad
clinical outcomes presents privacy and security challenges that are unique
to this industry.

The Report’s six recommendations, with key corresponding action items for
the health care industry to increase security, are below (Appendix A to the
report, which sets forth all recommendations and action items, is available
here).

1. Define and streamline leadership, governance and expectations for health
care industry cybersecurity.

HHS should create a cybersecurity leader position to coordinate health care
cybersecurity activities within HHS, establish a health care-specific
Cybersecurity Framework, and require federal regulatory agencies to
harmonize existing and future health care cybersecurity laws.
Congress should explore potential impacts to federal fraud and abuse laws
(i.e., the Stark Law and Anti-Kickback Statute), if sharing of
cybersecurity resources is permitted.

2. Increase the security and resilience of medical devices and health
information technology (IT).

Health care delivery organizations should secure legacy systems, require
strong authentication, and employ approaches to reduce the areas where
vulnerabilities can be exploited by a hacker (known as the “attack
surface”) for medical devices and EHRs.
Federal agencies should establish a team (MedCERT) to coordinate medical
device-specific cybersecurity.

3. Develop the health care workforce capacity necessary to prioritize and
ensure cybersecurity awareness and technical capabilities.

Every organization should identify cybersecurity leadership, and the
industry should establish a model for hiring.
The federal government should create managed security services provider
(MSSP) models to support small and medium-sized providers, and these
providers should evaluate options to migrate patient records and legacy
systems to secure environments.

4. Increase health care industry readiness through improved cybersecurity
awareness and education.

The industry should ensure existing and new products/systems risks are
managed securely.
HHS should work with the National Institute of Standards and Technology
(NIST), implement an education campaign, and provide patients with
information on how to manage their health care data.

5. Identify mechanisms to protect R&D efforts and intellectual property
from attacks or exposure.

The federal government should develop guidance on how to create an economic
impact analysis describing cybersecurity risk.
Entities that manage big data solutions should pursue research into
protecting health care big data sets.

6. Improve information sharing of industry threats, risks, and mitigations.

HHS and the industry should broaden information sharing, including for
small and medium-size health care organizations, and create more effective
mechanisms for disseminating and utilizing data.
Health care delivery organizations should implement cybersecurity incident
response plans that are reviewed and tested annually.

The HCIC Task Force was created as part of the Cybersecurity Act of 2015 to
“address the challenges the health care industry faces when securing and
protecting itself against cybersecurity incidents.” The HCIC Task Force’s
directives included: analyze how other industries have implemented
cybersecurity strategies and safeguards; analyze cyber challenges to
private entities in the health care industry; review challenges in securing
networked medical devices and other software or systems that connect to an
EHR. According to the HHS, the HCIC Task Force was composed of government
and private industry leaders who are innovators in technology and leaders
in health care cybersecurity. The HCIC Task Force held public meetings and
consulted with other experts over the past year in order to develop the
recommendations.

The full Report may be found here: Report on Improving Cybersecurity in the
Health Care Industry.

With the increasing use and reliance upon electronic data, and the
sophistication of hackers, it is imperative that businesses across the
health care delivery system take steps to secure health care data,
including confirming the compliance and efficacy of HIPAA Security Rule
programs.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170619/6f41956c/attachment.html>


More information about the BreachExchange mailing list