With National Cyber Security Awareness Month here, there is no better time to talk about the current cybersecurity landscape within the healthcare industry as well as some of the biggest challenges organizations are facing today. All of this and more was covered in the recent Report on Improving Healthcare Industry Cybersecurity, published earlier this year to assess the current healthcare cybersecurity landscape and offer recommendations for improvement.
The report was created by the Healthcare Industry Cybersecurity Task Force, a group formed in 2015 with the goal of analyzing the current cybersecurity problem within healthcare, other sectors’ approaches to cybersecurity, challenges, and differing approaches to information sharing. The report outlines six recommendations and action items for implementing them, and in today’s post, we’ll cover the first three.
1. Define and streamline leadership, governance, and expectations for healthcare industry cybersecurity. The Task Force found that many different programs and agencies both in and outside of the U.S. Department of Health and Human Services (HHS) are responsible for healthcare industry cybersecurity, each with their own unique language and framework for determining risk. The report recommends as a best practice that one person be responsible for coordinating such activities in addition to adopting the National Institute of Standards and Technology Cybersecurity Framework to standardize risk assessment and definitions.
2. Increase the security and resilience of medical devices and health IT. The Task Force noted that many providers have outdated operating systems, medical devices, and electronic health record (EHR’s), many of which have security weaknesses because they do not have ongoing support from the hardware and software vendors that provided the legacy solutions. The Task Force provided a number of recommendations, including: an audit and replacement of outdated health IT systems along with incentives and guidelines for either the reporting and/ or use of unsupported systems, double-factor authentication, and the development of a Medical Computer Emergency Readiness Team (MedCERT).
3. Develop the healthcare workforce necessary to prioritize and ensure cybersecurity awareness and technical capabilities. The Task Force noted the importance of identifying a cybersecurity leader in each organization which is typically the Chief Information Security Officer (CISO), and can be more if a challenge in smaller organizations. In order for cybersecurity to remain top of mind, the Task Force stated there is a need to obtain and retain the highest degree of cybersecurity talent. In doing so, there should be methods in place for certifying higher education programs in cybersecurity, particularly focusing on healthcare and patient safety.
According to the Task Force, once implemented, the recommendations will help to increase awareness, manage threats, reduce risks and vulnerabilities, and implement protections against cyber attacks not currently present across a majority of the healthcare industry. In our next post, we’ll cover the final three recommendations from the report.