The health care industry has long been a honeypot for hackers: Hospitals and care facilities hold reams of personal information, the kind that's of value to criminals and spies alike, and the criticality of data in keeping people alive make them prime targets for ransomware.
The Department of Health and Human Services is well aware of these problems and has been studying them as part of its Health Care Industry Cybersecurity Task Force, which released its first report to Congress late Friday afternoon.
The findings "demonstrate the urgency and complexity of the ever-changing cybersecurity risks facing the healthcare industry," said Steve Curren, director of the Division of Resilience in the HHS Office of the Assistant Secretary for Preparedness and Response (ASPR) Office of Emergency Management. "Their report emphasizes that healthcare cybersecurity issues are patient safety issues, and calls for a collaborative public and private sector effort to protect our healthcare systems and patients from cyber threats."
These issues – and the need for a combined public-private sector response – were brought to the fore again during the recent WannaCry ransomware attack, which first gained international coverage as hospital throughout England found themselves unable to access their systems.
"The [U.S.] federal government takes these threats very seriously," said Curren. "That is why HHS focused in two primary areas of cybersecurity during the recent global ransomware attack: Protection of HHS systems and coordination with our private sector partners to help protect their systems, as well."
The report submitted June 2 includes six "imperatives" for the health care industry and federal government to secure this critical infrastructure.
The recommendations focus mainly on increasing information sharing and awareness and increasing partnerships between industry and government, as well as creating a high-level "cybersecurity leader" position within HHS.
From a Task Force fact sheet:
Imperative 1: Define and streamline leadership, governance and expectations for health care industry cybersecurity.
Recommendations within this imperative focus on leadership and accountability for cybersecurity in corporate governance structures, industry organizations and government at all levels. The Task Force recommends the creation of a "cybersecurity leader" role within HHS to coordinate activities and serve as a single focal point for industry engagement across regulatory and voluntary cybersecurity programs.
Imperative 2: Increase security and resilience of medical devices and health IT.
This imperative addresses the Cybersecurity Information Sharing Act's mandate to review the unique cybersecurity challenges of medical devices and electronic health records. This imperative takes a total product lifecycle approach, recommending a mix of regulatory, accreditation, information sharing and voluntary development and adoption of standards to promote system security from product design and development through end of life.
Imperative 3: Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
In this section, the Task Force outlines the major workforce challenges facing health care information technology and cybersecurity, especially among small, rural and other lesser-resourced organizations. It recommends steps to enhance cybersecurity leadership in organizations, develop the nation's health care cybersecurity workforce, and create options for organizations to gain efficiencies by leveraging shared cybersecurity services.
Imperative 4: Increase health care industry readiness through improved cybersecurity awareness and education.
This imperative focuses on increasing the cybersecurity posture within organizations by raising awareness among corporate leadership, educating employees on the importance of cybersecurity, and empowering patients to make better choices related to the security of their personal health information. The Task Force recommends that HHS work with government and industry partners to promote cybersecurity awareness across health care.
Imperative 5: Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure.
This section focuses on the significant problem of health care intellectual property theft related to areas such as clinical trials, drug and device development, big data applications, and general health care business operations. It recommends activities to increase the industry's understanding of the scope of the problem and the economic and other risks of continuing intellectual property loss.
Imperative 6: Improve information sharing of industry threats, risks and mitigations.
Recommendations under this imperative focus on the sharing of cyber threat information among government and industry stakeholders. The Task Force recommends general principles to follow in the establishment of cyber threat information sharing systems in health care, with a focus on ensuring that actionable information reaches small and rural organizations.