HIMSS: We need a national cyber leader
The Healthcare Information and Management Systems Society is calling on the Department of Health and Human Services to appoint a “cyber leader” who would serve in an elevated chief information security officer position.
In particular, a new HIMSS policy paper touts an expanded role for the HHS chief information security officer, with duties inside the agency but also working with outside healthcare stakeholders to guide cybersecurity efforts. Leo Scanlon is the current CISO at HHS.
“A proactive approach to security must be the norm, not the exception, to enable trust in, and facilitate collaboration and cooperation amongst, organizations,” HIMSS notes in its new position statement. “By becoming more difficult to infiltrate, the health sector will become less of a target by cyber criminals.”
To become less of a target, HIMSS calls on all stakeholders to exchange information on cyber threats, threat actors, vulnerabilities and mitigation efforts. This level of cooperation, which Scanlon or another CISO could help with, could overcome policy, cultural and financial roadblocks that inhibit development of new cyber security solutions.
The association also is pitching for adoption of a universal privacy and security framework across the industry. Specifically, it recommends the NIST Cybersecurity Framework.
HIMSS does not seek a mandate for use of the NIST Cybersecurity Security Framework, as its members have made it clear that they are overwhelmed with policies and don’t want new regulations or laws, says Lee Kim, director of privacy and security at HIMSS.
Further, setting a mandated security framework in law would not be practical, Kim adds. “We have seen how slowly regulations and laws get written and put into force. By that time, the threat landscape will have totally changed.”
The policy statement, Kim notes, is aspirational with a message that the industry needs to get better and raise its cyber protection capabilities.
Any framework should include model cybersecurity architectures, risk assessments, business associate agreements, support of individual privacy/security rights, and a national strategy for patient identification and matching.
Specific goals for cyber leaders to target include expanding the pool of qualified cyber personnel, ensuring adequate threat and asset response, advancing education, adopting lessons from HITECH-funded Regional Extension Centers to influence small providers and timely sharing of threat information, among others. The HIMSS position statement is available here.