HDM-061517-Cybersecurity.jpg
Top findings from the HHS cybersecurity report
A new 96-page report from the Department of Health and Human Services finds that cybersecurity is in critical condition for healthcare organizations. Here the main challenges identified by the report and key action points it recommends.
1. HHS Cyber AdobeStock_96907611.jpeg
1. Addressing security challenges
The top systemic challenges to cybersecurity in the healthcare sector include a severe lack of security talent, vulnerable legacy systems and connectivity that’s required as part of the EHR meaningful use program but lacks secure design and implementation.
2. HHS Cyber AdobeStock_130184727.jpeg
2. Defending legacy systems
Health organizations of all sizes wrestle with unsupported legacy information systems that can’t easily be replaced but have significant security vulnerabilities. “The industry will need to dramatically reduce the use of less defensible legacy and unsupported products, and more effectively reduce risk in future products through robust development and support strategies,” report writers say.
3. HHS Cyber AdobeStock_51601104.jpeg
3. Getting buy-in
The report acknowledges that providers generally struggled to demonstrate the importance of cyber protection to organization leaders. That must change. “Healthcare cybersecurity is a key public health concern that needs immediate and aggressive attention,” report writers contend.
4. HHS Cyber AdobeStock_137139504.jpeg
4. Improving security leadership
To better protect the industry overall, efforts must grow rapidly to define and streamline leadership, raising governance and expectations for healthcare industry cybersecurity. The report suggests creating a cybersecurity leader within HHS.
5. HHS Cyber AdobeStock_84151037.jpeg
5. Protecting medical devices
The report emphasizes the importance of increasing the security and resilience of medical devices and health information technology overall. The attack surface has been expanded when mobile devices, medical devices and applications are allowed to connect to providers’ EHRs. Further, additional cyber risk is introduced to medical devices as well when devices are connected to the Internet, provider networks or other devices.
6. HHS Cyber AdobeStock_89127696.jpeg
6. Developing security staff
Organizations need to develop the healthcare workforce capability that’s necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
7. HHS Cyber AdobeStock_96944065.jpeg
7. Increasing preparedness
Efforts need to be increased to boost healthcare industry readiness for cyber attacks through improved cybersecurity awareness and education.
8. HHS Cyber AdobeStock_104782909.jpeg
8. Advancing security research
The industry needs to identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure.
9. HHS Cyber AdobeStock_87095154.jpeg
9. Encouraging information sharing
Healthcare organizations must improve efforts at information sharing of industry threats, weaknesses and mitigations.
10. HHS Cyber AdobeStock_133470881.jpeg
10. Involving HHS
“In light of these trends, HHS needs to consider the technical details of how to accomplish this level of interoperability in a secure manner prior to development and deployment,” report authors say. “This will help ensure that this more universal access does not incidentally create a new vulnerable attack surface area.” The full report is available here.