- The Health Care Industry Cybersecurity Task Force recently released a report detailing how healthcare organizations can address the growing threat of cyber-attacks to health IT infrastructure.
The report discusses the development of the Task Force’s six imperatives, along with recommendations on how to increase healthcare cybersecurity. Report authors highlighted that cybersecurity threatens PHI security and patient safety. Organizations need to ensure that their patients can safely depend on healthcare IT.
The Task Force suggested the following six imperatives to Congress:
- Define and streamline leadership, governance, and expectations for health care industry cybersecurity.
- Increase the security and resilience of medical devices and health IT.
- Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
- Increase health care industry readiness through improved cybersecurity awareness and education.
- Identify mechanisms to protect R&D efforts and intellectual property from attacks or exposure.
- Improve information sharing of industry threats, risks, and mitigations.
The report also addressed each imperative individually, including recommendations for public and private healthcare entities. It’s important that the public and private healthcare sectors work together and coordinate to protect PHI that is shared within and among organizations.
“Although one could implement only a few of the recommendations and gain a minimal benefit, implementing all or a majority of the recommendations will compound the benefits to the overall security posture of the health care industry, as well as allow organizations to maximize their financial investments and personnel resources,” the report stated.
Educating staff and patients about cybersecurity is the first line of defense against cyberattacks. Understanding how data is accessed and the consequences of unsecured PHI access make users more aware of cyberattacks and how to avoid and prevent them.
User education plays a significant role in network defense, but IT still lacks control over what data is being accessed and how it is being accessed. This calls for robust cybersecurity implementations that will protect the network from outside threats.
Several of the imperatives suggested that organizations increase IT security to protect patients as well as their data.
The second imperative touched on the potential vulnerabilities found in medical devices. The number of medical devices included in modern health IT infrastructure continues to grow and organizations are faced with managing and monitoring them for possible threats.
The report suggested that entities pay close attention to legacy medical devices and systems, including EHR applications. Legacy systems present risks to the network if they do not have continued support from both the hardware and software vendors providing the technology.
“Many of these legacy systems have security weaknesses, which may contribute to the compromise of provider networks and systems,” the report said. “Every vendor and health care organization should be able to identify and classify legacy systems and develop an approach (e.g., compensating controls, device update, device retirement, network segmentation, or innovative architectures) to mitigate the associated risks.”
The action item for medical device security suggested that organizations inventory their critical systems and document unsupported OSes, devices and EHR systems. Entities must replace or upgrade systems with alternatives that are supported by vendors and invest in superior security capabilities whenever possible.
Organizations should produce retirement timelines so they can be replaced at a convenient time if devices are critical and can’t be replaced right away. The report also maintained that entities make an effort to isolate devices that are being prepared for retirement.
Other recommendations included improving manufacturing and development transparency among developers and users, as well as increasing adoption of the secure development lifecycle in the development of medical devices and EHRs.
“The industry needs to take a long-range approach to considering viability, effectiveness, security, and maintainability of medical devices, EHRs, and the interfaces when setting up the IT network and at the outset of product deployment,” the report advised. “The desired end-state is that every product (whether new or when it is being upgraded) have a defined strategy, architectural approach, and design that supports the deployment and overall lifecycle management of that product.”
Cyberattacks on healthcare data continue to threaten patient safety and organizations need to be sure all health IT security systems are supported. Entities must know that security plays a significant part in the development of new medical devices.