Panel urges quick, decisive action on cybersecurity
Healthcare cybersecurity is a key public health concern that needs immediate and aggressive attention to counter the growing threats that are putting patient information at risk, according to the findings of a just-released task force report mandated by Congress.
The task force’s 21 subject matter experts, drawn from a diverse group of stakeholders, was created by the Department of Health and Human Services in response to the Cybersecurity Information Sharing Act of 2015 and charged with examining healthcare’s challenges in securing data from hacker attacks and to see how safeguards can be improved.
The panel, co-chaired by Emery Csulak, chief information security officer at the Centers for Medicare and Medicaid Services, and Theresa Meadows, chief information officer at Cook Children’s Health Care System, developed a set of more than 100 recommendations to help increase cybersecurity across the healthcare industry.
Specifically, the Task Force identified six ‘high-level imperatives by which to organize its recommendations and action items,” including:
- Defining and streamlining leadership, governance and expectations for healthcare industry cybersecurity.
- Increasing the security and resilience of medical devices and health IT.
- Developing the healthcare workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
- Increasing healthcare industry readiness through improved cybersecurity awareness and education.
- Identifying mechanisms to protect research and development efforts and intellectual property from attacks or exposure.
- Improving information sharing of industry threats, weaknesses and mitigations.
“As healthcare becomes increasingly dependent on information technology, our ability to protect our systems will have an ever greater impact on the health of the patients we serve,” wrote Csulak and Meadows to the chairmen of several congressional committees in a June 2 letter accompanying the report. “While much of what we recommend will require hard work, difficult decisions and commitment of resources, we will be encouraged and unified by our shared values as healthcare industry professionals and our commitment to providing safe, high quality care.”
Russell Branzell, president and CEO of the College of Healthcare Information Management Executives, applauded the task force’s report, which he said “marks an important milestone in the recognition of the importance of strengthening the cybersecurity posture of the healthcare industry, which has lagged behind other critical infrastructures.”
On that front, the task force looked at best practices and lessons learned from other industries, including briefings from members of the financial services and energy sectors. In particular, the panel agreed with the idea of “leveraging shared resources, personnel and capabilities, similar to what the financial services sector has implemented.”
However, at the same time, the task force found that “some of the unique aspects of the healthcare industry would prevent the direct adoption and implementation of these practices: size and diversity of the industry; forced digitization; reliance on legacy systems; delays in identifying threats; and the number of highly interconnected systems in healthcare versus the number of closed systems present in the financial services and energy sectors.”
Branzell said CHIME welcomed the more than 100 recommendations made by the task force. “The report and the task force’s thoughtful recommendations come at a critical time, offering solutions to many of the challenges and opportunities our members have previously identified in their efforts to improve their organization’s cybersecurity hygiene,” he added, including the “need for the federal government to offer incentives to encourage greater investment in cybersecurity and the need for a single point of contact within HHS on cybersecurity.”
CHIME also supports the recommendations concerning the need to identify gaps in device surveillance and cybersecurity, including harmonizing disparate rules like aligning HIPAA guidance with the Food and Drug Administration’s oversight of medical devices.
“The successful implementation of these recommendations will require adequate resources and coordination across the public and private sector,” concludes the task force report. “Once implemented, the recommendations will increase security for the healthcare industry’s organizations, networks and associated medical devices.”
The Health Care Industry Cybersecurity Task Force’s 88-page report can be found here.