While a set of more than 100 recommendations to help increase cybersecurity across the healthcare industry might seem like overkill, the co-chair of a task force that developed them believes the challenges are urgent and wide-ranging, requiring immediate and aggressive action.
“There are so many areas that need to be addressed, quite frankly, given the complexity of healthcare,” says Theresa Meadows, co-chair of the Health Care Industry Cybersecurity Task Force, which was created by Congress through the Cybersecurity Act of 2015 to examine the sector’s vulnerabilities.
Specifically, the task force’s June 2 report, which was sent to several congressional committees, calls for a unified effort by both the public and private sectors to counter the growing cyber threats that are putting patient information and safety at risk.
“Real cases of identity theft, ransomware and targeted nation-state hacking prove that our healthcare data is vulnerable,” states the report, which was finalized prior to last month’s WannaCry ransomware attack that compromised more than 300,000 computers worldwide in at least 150 countries, including the National Health Service in the United Kingdom.
“A breach is not a matter of if, but when,” warns Meadows. “Everybody is going to experience some level of this type of issue. One of the most important takeaways from the task force report is knowing your plan of action when a situation occurs so you can mitigate and recover from such an event.”
Meadows, who is also senior vice president and chief information officer at Cook Children’s Health Care System, contends that the panel’s intention was to provide actionable recommendations designed to increase security across the industry – each recommendation has one or more action items for implementing them.
The task force’s 100-plus recommendations are organized into six high-level imperatives, including increasing the security and resilience of medical devices and health IT. In particular, Meadows observes that medical devices are a “tough not to crack because most institutions have medical devices for many years,” adding that, on average, it’s a 10- to 15-year investment timeframe.
“Our security posture has really changed over those 15 years, and those devices were not designed to have all of those mitigation factors in place, nor were they designed to be fully integrated to electronic health records,” she notes. “Some of the mandates around Meaningful Use have really driven up the risk around medical devices because they weren’t initially designed that way. The key is beginning to replace those legacy devices so we can have them on the most current software and security without it being cost-prohibitive.”
According to Meadows, another high-level healthcare cybersecurity imperative is improving information sharing of industry threats, weaknesses and mitigations. “Some organizations wouldn’t want to report a security incident because of how it might affect them from a consumer standpoint, but there are a lot of good mechanisms to share critical information to fix and prevent issues without identifying the institutions that reported it,” she says.
Meadows believes that one of the strongest recommendations made by the task force is for the Department of Health and Human Services to create a cybersecurity leader role within HHS to align industry-facing efforts for healthcare cybersecurity. She makes the case that many different programs and agencies within and outside of HHS are responsible for cybersecurity, but it’s critical to have a single person who is responsible for coordinating these activities.
Overall, the successful implementation of these recommendations “will require adequate resources and coordination across the public and private sector,” finds the task force’s report.
However, the task force points out that healthcare organizations “often lack the infrastructure to identify and track threats, the capacity to analyze and translate the threat data they receive into actionable information, and the capability to act on that information.”
It’s a serious problem for healthcare organizations, which have a responsibility to secure their systems, medical devices and patient data from these kinds of cyber attacks with razor-thin operating margins, and, as a result, “cannot afford to retain in-house information security personnel, or designate an information technology staff member with cybersecurity as a collateral duty,” according to the task force.
Meadows acknowledges that security is a “harder sell” for C-level healthcare executives “because it’s really an insurance policy and there’s no perceived ROI to having good security posture and hygiene,” particularly in smaller organizations facing resource constraints.
However, organizations making the decision to “prioritize cybersecurity within the healthcare industry requires culture shifts and increased communication to and from leadership, as well as changes in the way providers perform their duties in the clinical environment,” concludes the task force report.
“People are beginning to see that it’s more of a priority,” adds Meadows. “It’s going to take all of us working together to really make some headway on these issues on how to improve security in healthcare. I hope organizations will really take to heart some of the recommendations that have been made and begin to put implementation plans in place.”