[BreachExchange] Task Force Tackles Healthcare Cybersecurity Challenges

Audrey McNeil audrey at riskbasedsecurity.com
Mon Sep 26 19:27:11 EDT 2016


http://www.information-management.com/news/security/
task-force-tackles-healthcare-cybersecurity-challenges-10029855-1.html

A healthcare cybersecurity task force mandated by Congress is developing a
set of recommendations that it hopes will help to counter the growing cyber
threats that are putting patient information at risk.

Created by the Department of Health and Human Services in response to the
Cybersecurity Information Sharing Act of 2015, the task force is charged
with examining healthcare’s challenges in securing data from hacker attacks
and to see what best practices/lessons can be learned from other industries
in how to successfully implement safeguards.

According to Theresa Meadows, co-chair of the Health Care Industry
Cybersecurity Task Force and CIO of Cook Children’s Health Care System, the
panel’s 20 subject matter experts are drawn from a wide variety of
organizations including providers, payers, pharmaceutical companies,
medical device manufacturers, IT vendors, and government agencies.

“We have representation from all the segments within healthcare so that we
can have well-rounded discussions,” said Meadows. “There’s also a patient
advocate on the task force.”

Meadows said the task force has held several public and private meetings to
date and will be “wrapping up its charge” early next year, after which it
will report to Congress on its findings and recommendations.

Among the areas that the task force will be addressing in its final report
are:

- Reviewing challenges to secure networked medical devices and other
software or systems that connect to an electronic health record;
- Providing the HHS Secretary with information to disseminate to healthcare
industry stakeholders to improve their preparedness for, and response to
- Cybersecurity threats; and
Establishing a plan to create a single system for the federal government to
share actionable intelligence regarding cybersecurity threats to the
healthcare industry in near real-time for no fee.

“Today, there’s not a good mechanism for sharing information when
cybersecurity issues occur,” observes Meadows. “Usually what happens is we
hear through word of mouth or we see it in the media, but we don’t really
know what the cause was and so there’s no way for us to be proactive in
preventing these things in our organizations.”

With the rash of recent ransomware attacks on healthcare organizations,
Meadows says that the panel will also be taking a look at how to protect
health data from these kinds of file-encrypting malware. Ransomware is
within the “scope of risk that people need to know about and how to
mitigate, so we will put together some recommendations around that,” she
adds.

When it comes to the vulnerabilities of networked medical devices, Meadows
notes that most of the devices currently in use at healthcare facilities
are between five to 10 years old. The problem with these legacy medical
devices is that “ten years ago nobody was thinking about security,” Meadows
says.

As Meadows points out, compared to other industries, healthcare’s
cybersecurity environment is unique which can be limiting in terms of
potential safeguards that can be put in place.

“In banking, they can lock down everything because they don’t have to worry
about a physician needing access to patient information,” Meadows remarks.
“That’s a normal daily occurrence and if we lock up the data then care
cannot be provided. If physicians don’t have access to medical records or
lab results, that’s a big deal. They’ve got to have access to the data at
all times.”

“We’ve got to find a model that works for healthcare and still allows us to
provide care—and that’s the delicate balance,” Meaadows concludes. “We’re
in a data gathering mode right now.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160926/6627577e/attachment.html>


More information about the BreachExchange mailing list