Task force tackles healthcare cybersecurity challenges
A healthcare cybersecurity task force mandated by Congress is developing a set of recommendations that it hopes will help to counter the growing cyber threats that are putting patient information at risk.
Created by the Department of Health and Human Services in response to the Cybersecurity Information Sharing Act of 2015, the task force is charged with examining healthcare’s challenges in securing data from hacker attacks and to see what best practices/lessons can be learned from other industries in how to successfully implement safeguards.
According to Theresa Meadows, co-chair of the Health Care Industry Cybersecurity Task Force and CIO of Cook Children’s Health Care System, the panel’s 20 subject matter experts are drawn from a wide variety of organizations including providers, payers, pharmaceutical companies, medical device manufacturers, IT vendors, and government agencies.
“We have representation from all the segments within healthcare so that we can have well-rounded discussions,” said Meadows. “There’s also a patient advocate on the task force.”
Meadows said the task force has held several public and private meetings to date and will be “wrapping up its charge” early next year, after which it will report to Congress on its findings and recommendations.
Among the areas that the task force will be addressing in its final report are:
- Reviewing challenges to secure networked medical devices and other software or systems that connect to an electronic health record;
- Providing the HHS Secretary with information to disseminate to healthcare industry stakeholders to improve their preparedness for, and response to, cybersecurity threats; and
- Establishing a plan to create a single system for the federal government to share actionable intelligence regarding cybersecurity threats to the healthcare industry in near real-time for no fee.
“Today, there’s not a good mechanism for sharing information when cybersecurity issues occur,” observes Meadows. “Usually what happens is we hear through word of mouth or we see it in the media, but we don’t really know what the cause was and so there’s no way for us to be proactive in preventing these things in our organizations.”
With the rash of recent ransomware attacks on healthcare organizations, Meadows says that the panel will also be taking a look at how to protect health data from these kinds of file-encrypting malware. Ransomware is within the “scope of risk that people need to know about and how to mitigate, so we will put together some recommendations around that,” she adds.
When it comes to the vulnerabilities of networked medical devices, Meadows notes that most of the devices currently in use at healthcare facilities are between five to 10 years old. The problem with these legacy medical devices is that “ten years ago nobody was thinking about security,” she says.
As Meadows points out, compared to other industries, healthcare’s cybersecurity environment is unique which can be limiting in terms of potential safeguards that can be put in place.
“In banking, they can lock down everything because they don’t have to worry about a physician needing access to patient information,” she remarks. “That’s a normal daily occurrence and if we lock up the data then care cannot be provided. If physicians don’t have access to medical records or lab results, that’s a big deal. They’ve got to have access to the data at all times.”
“We’ve got to find a model that works for healthcare and still allows us to provide care—and that’s the delicate balance,” she concludes. “We’re in a data gathering mode right now.”