[BreachExchange] Healthcare cybersecurity is due for a checkup

Fri Jul 21 14:28:23 EDT 2017

http://www.nhbr.com/July-21-2017/Healthcare-cybersecurity-
is-due-for-a-checkup/

Technology has dramatically transformed modern healthcare. Patients can
view lab results in real time, make appointments online and use smartphone
apps to control medical devices. In addition, the widespread use of
electronic health records has improved data-sharing and collaboration among
physicians and their patients, reduced medical errors and improved medical
research.

Although the digitization of health information has enhanced the delivery
of care, it has also made health care data more vulnerable to attack. A
June 2017 report published by the Health Care Industry Cybersecurity Task
Force found serious deficiencies in the healthcare industry’s cybersecurity
preparedness.

The task force, which Congress established through the Cybersecurity Act of
2015, encourages the use of technology throughout the healthcare industry,
but it also recognizes the need for safeguards to help prevent hackers from
using those technologies to steal patient data and other valuable
information.

Cybersecurity vulnerabilities

According to the task force report, a number of factors contribute to cyber
vulnerabilities in the healthcare sector, including real-life urgent
situations, tension between department priorities and budget considerations.

For example, hospitals are generally “public” institutions that function at
all hours of the day and night, and they are open to anyone looking for
medical services. Amid these chaotic, fast-paced environments, dozens of
providers and staff must communicate in order to maintain effective patient
care. When faced with a critical care situation, healthcare personnel may
have little choice but to leave a workstation unlocked to allow other
providers to access vital patient information and identify potential
patient safety issues. Indeed, the urgent need for information can be in
conflict with best practices related to privacy and security.

The report also notes that, at the organizational level, cybersecurity is
often viewed as a siloed “IT” problem, and not something that requires
high-level attention. Until a healthcare organization experiences a data
breach, information security professionals may have trouble convincing the
organization that cyber-attacks pose risks to patient care, or that
proactive measures can protect the organization against long-term
reputational damage.

In light of recent attacks on hospitals, however, this fragmented approach
is dangerous. The “WannaCry” ransomware attack on the National Health
Service in the U.K. highlights the need for preparedness and coordinated
efforts between various departments, including information security, risk
management and legal.

The tension between the cost of preparedness and an organization’s limited
resources can also be problematic, particularly in smaller organizations.

As one task force member put it, the high costs of cybersecurity measures
could force providers to choose between “procuring new security
technologies and related subject matter expertise, or purchasing new
ventilators and hiring nurses.” Yet, as the report points out, it is
misguided to assume that cyberattacks only affect large organizations.
Healthcare organizations of all sizes are targets, in part because of the
valuable nature of health information and the black market for medical
records.

Six improvement ‘imperatives’

With this background in mind, the task force identified six “imperatives”
to improve cybersecurity in the healthcare industry:

1. Define and streamline leadership, governance and expectations for
healthcare industry cybersecurity

2. Increase the security and resilience of medical devices and health IT

3. Develop the healthcare workforce capacity necessary to prioritize and
ensure cybersecurity awareness and technical capabilities

4. Increase healthcare industry readiness through improved cybersecurity
awareness and education

5. Identify mechanisms to protect research and development efforts and
intellectual property from attacks or exposures

6. Improve information sharing of industry threats, weaknesses and
mitigations.

Although achievement of the recommended goals will require coordination
across the public and private sectors, there are many ways that healthcare
organizations can immediately begin addressing cybersecurity issues.

Identifying a dedicated cybersecurity leader is a good place to start.
Small and medium-sized organizations also may want to consider migrating
patient records from legacy systems to more secure environments, such as
cloud-based storage. Organizations of all sizes should begin developing and
updating policies related to cybersecurity and data privacy.

Finally, healthcare organizations should ensure that they are in compliance
with state and federal laws related to data privacy and the protection of
health information.

Despite the rapid pace of change in technology and the healthcare industry,
there are resources available for strengthening cybersecurity. The task
force report provides useful strategies for improving preparedness, and
consulting with legal counsel can help ensure compliance with applicable
laws.

With more data being created every minute, and more devices being connected
every day, preparedness is vital to fighting cybercrimes. We must face
these difficult issues directly — the future of healthcare depends on it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170721/edfdac6d/attachment.html>