10 takeaways from HHS’s new cybersecurity report

Top findings from the HHS cybersecurity report

A new 96-page report from the Department of Health and Human Services finds that cybersecurity is in critical condition for healthcare organizations. Here the main challenges identified by the report and key action points it recommends.

1. Addressing security challenges

The top systemic challenges to cybersecurity in the healthcare sector include a severe lack of security talent, vulnerable legacy systems and connectivity that’s required as part of the EHR meaningful use program but lacks secure design and implementation.

2. Defending legacy systems

Health organizations of all sizes wrestle with unsupported legacy information systems that can’t easily be replaced but have significant security vulnerabilities. “The industry will need to dramatically reduce the use of less defensible legacy and unsupported products, and more effectively reduce risk in future products through robust development and support strategies,” report writers say.

3. Getting buy-in

The report acknowledges that providers generally struggled to demonstrate the importance of cyber protection to organization leaders. That must change. “Healthcare cybersecurity is a key public health concern that needs immediate and aggressive attention,” report writers contend.

4. Improving security leadership

To better protect the industry overall, efforts must grow rapidly to define and streamline leadership, raising governance and expectations for healthcare industry cybersecurity. The report suggests creating a cybersecurity leader within HHS.

5. Protecting medical devices

The report emphasizes the importance of increasing the security and resilience of medical devices and health information technology overall. The attack surface has been expanded when mobile devices, medical devices and applications are allowed to connect to providers’ EHRs. Further, additional cyber risk is introduced to medical devices as well when devices are connected to the Internet, provider networks or other devices.

6. Developing security staff

Organizations need to develop the healthcare workforce capability that’s necessary to prioritize and ensure cybersecurity awareness and technical capabilities.

7. Increasing preparedness

Efforts need to be increased to boost healthcare industry readiness for cyber attacks through improved cybersecurity awareness and education.

8. Advancing security research

The industry needs to identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure.

9. Encouraging information sharing

Healthcare organizations must improve efforts at information sharing of industry threats, weaknesses and mitigations.

10. Involving HHS

“In light of these trends, HHS needs to consider the technical details of how to accomplish this level of interoperability in a secure manner prior to development and deployment,” report authors say. “This will help ensure that this more universal access does not incidentally create a new vulnerable attack surface area.” The full report is available here.