The Health Care Industry Cybersecurity (HCIC) Taskforce released the final version of its report to Congress on June 2, 2017. By way of background, given the significant cybersecurity threats and cyber-attacks facing the healthcare industry, the Health Care Industry Cybersecurity (HCIC) Taskforce was formed in accordance with Section 405 of the Cybersecurity Act of 2015 (CSA). The Taskforce was established for a time period of one year. The Taskforce was chartered to perform activities including the following:
- Analyze the healthcare cybersecurity problem, analyze other sectors’ approaches to cybersecurity;
- Review challenges in regard to securing connected medical devices and other software or systems that connect to electronic health record systems; and
- Establish a cybersecurity information sharing plan for the healthcare industry.
The findings within the report are the result of discussions among other Taskforce members, experts in the healthcare industry, and colleagues in government and cross-sector critical infrastructure sectors. This article highlights key content from the Taskforce’s report and provides relevant information on HIMSS initiatives, as appropriate.
Taskforce: Healthcare Cybersecurity is Unique: Patient Safety and Availability of Data
While the aims of cybersecurity is uniform across all sectors (including healthcare)—namely, protecting the confidentiality, integrity, and availability of information—healthcare is unique. In other sectors, there may be a greater emphasis on confidentiality due to the need to keep sensitive information secret.
However, in the healthcare industry, availability is very important. You cannot take care of patients without having availability of information. Having high availability of patient information is especially important with hospitals that operate 24×7 and 365 days a year. Additionally, another important aim of healthcare cybersecurity is protecting patient safety. Patient safety is directly implicated when it comes to connected medical devices and patients whose health can be directly impacted by the operation of the medical device. The need to protect patient safety is all the more important with life-saving or life-sustaining devices.
Additionally, other sectors (e.g., chemical, manufacturing, and others) have had decades to adopt and implement information technology and information security. However, many healthcare providers have had to quickly “catch up” in terms of both information technology and information security adoption. Some providers are further along than others are. Indeed, some providers have robust information technology and information security programs.
However, many providers struggle with healthcare cybersecurity, due to a myriad of factors—but, the biggest barrier to cybersecurity program maturity in healthcare is the cultural barrier. The cybersecurity threat is not understood and/or there are not enough resources available by some organizations to deal with the threat—especially small and rural healthcare providers. Additional barriers include lack of budget and lack of vendor support.
Further, as the healthcare industry progresses towards more interoperability, healthcare cybersecurity remains top of mind. The healthcare industry is only as secure as its weakest link. Therefore, if there are “weak links” in the “connected” healthcare ecosystem, these constituents pose a risk not only to themselves, but also, to others that connect to them.
Finally, the healthcare industry has its unique legal and regulatory environment. There is a patchwork of state and federal laws are relevant to healthcare cybersecurity. Compliance with such laws can be difficult, due to what the Taskforce characterizes as sometimes “duplicative” or “conflicting” obligations. The Taskforce also observed that there are regulatory gaps and a myriad of agencies involved in regulating healthcare entities.
Taskforce Imperative No. 1: Define and streamline leadership, governance, and expectations for healthcare industry cybersecurity.
The Taskforce identified a need for a cybersecurity leader role within HHS to align industry-facing efforts for healthcare cybersecurity (Recommendation 1.1). The Taskforce also noted that there is a lack of uniformity amongst healthcare providers regarding adoption of cybersecurity frameworks.
The Taskforce recommends adoption of a standardized NIST Cybersecurity Framework. Specifically, Recommendation 1.2 calls for the establishment of a “consistent, consensus-based health care-specific Cybersecurity Framework” based on the NIST Cybersecurity Framework. In adopting such a framework, the Taskforce states that the uniform adoption would standardize risk assessment and definitions to make sharing of cybersecurity information easier and allow the industry to understand the risk across the continuum of data. The Taskforce also recommends that federal agencies harmonize existing and future laws and regulations that affect health care industry cybersecurity (Recommendation 1.3).
This imperative aligns with the HIMSS Cybersecurity Call to Action (“Create an HHS Cyber Leader Role” and “Adopt a Universal Information Privacy and Security Framework for the Health Sector”). Additionally, HIMSS has consistently “asked” for a healthcare-specific NIST Cybersecurity Framework in its public comments (Recommendation 1.2). Finally, HIMSS has included in its Congressional Asks an “ask” of Congress to harmonize federal and state privacy and cybersecurity laws and regulations (Recommendation 1.3).
Taskforce Imperative No. 2: Increase the Security and Resilience of Medical Devices and Health IT.
The Taskforce noted that many providers still have legacy operating systems, legacy medical devices, and the like. However, these legacy systems and devices still need to be secured. As a result, a number of recommendations were given for health delivery organizations, manufacturers, and government. Among the recommendations was Recommendation 2.6: Establish a Medical Computer Emergency Response Team (MedCERT) to coordinate medical device-specific responses to cybersecurity incidents and vulnerability disclosures.
Taskforce Imperative No. 3 Develop the healthcare workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities
The Taskforce identified the need for healthcare organizations to have a healthcare cybersecurity role that drives more robust cybersecurity policies, processes, and functions with clear engagement from executives (Recommendation 3.1). Ideally, the Taskforce noted that a chief information security officer (“CISO”) or other officially designated individual should serve as the most senior information and cybersecurity professional. However, the Taskforce also acknowledged that small organizations may need to retain a shared or third-party CISO (as they may lack the resources to have a CISO within their own organizations).
The Taskforce also called for the establishment of a model for adequately resourcing the cybersecurity workforce with qualified individuals (Recommendation 3.2). Specifically, the Taskforce suggested that there is an immediate need for developing a method to certify higher education programs in cybersecurity, particularly ones that focus on healthcare and patient safety. Recommendation 3.2 also aligns with the HIMSS Cybersecurity Call to Action (“Address Shortage of Qualified Cybersecurity Personnel”).
Taskforce Imperative No. 4: Increase healthcare industry readiness through improved cybersecurity awareness and education
As stated by the Taskforce in its report:
- Cybersecurity can be an enabler for the healthcare industry, supporting both its business and clinical objectives, as well as facilitating the delivery of efficient, high-quality patient care.
- However, this requires a holistic cybersecurity strategy.
- Organizations that do not adopt a holistic strategy not only put their data, organizations, and reputation at risk, but also—most importantly—the welfare and safety of their patients.
These observations are also echoed in the conclusion of the HIMSS Cybersecurity Call to Action (which recommends that healthcare organizations implement a holistic cybersecurity strategy and that cybersecurity is an enabler for efficient, high quality patient care).
In Recommendation 4.1, the Taskforce also recommends that healthcare organizations participate in National Cybersecurity Awareness Month events and become partners of the National Cybersecurity Awareness Month campaign. The Taskforce also calls on the healthcare industry to develop cybersecurity literacy programs as well.
On a related note, HIMSS has been a champion of National Cybersecurity Awareness Month for the past four years. HIMSS has also developed healthcare cybersecurity awareness materials for healthcare organizations during this time. Its most recent awareness initiative was for World Password Day (May 5th), in which one of the recommendations was to implement multi-factor authentication (in alignment with Taskforce imperative no. 2 and Recommendation no. 2.4.2).
Taskforce Imperative No. 6: Improve information sharing of industry threats, risks, and mitigations
The healthcare industry is no longer in an era where it can be “willfully blind” to the cyber threat. Everyone (including rural, small, medium, and large healthcare organizations) should have the opportunity to participate in information sharing of cyber threat, risk, and mitigation information. As previously mentioned, the healthcare industry is only as strong as its weakest link. So, it pays for all of us to get on board in regard to information sharing. Information sharing helps to foster situational awareness, appreciation of the threats and risks, and gives us quintessential know-how (i.e., what to do in the face of a security incident).
However, while information sharing is important for all of us, the information still must be tailored for the audience. As the Taskforce notes, information sharing should be tailored for consumption by small and medium provider organizations (recommendation 6.1). Such organizations may not have staff on hand that can sift through enormous amounts of information and multiple feeds of information.
Instead, such information must be consumable, bite-sized, and understandable to such organizations. [While not cited in the Taskforce’s report, one such example is the HIMSS Healthcare and Cross-Sector Cybersecurity Reports.]
The Taskforce also recommends that annual readiness exercises by the healthcare industry should be encouraged (Recommendation 6.3). The Taskforce notes that these exercises can be conducted regularly to test response plans and create and utilize a variety of relative incident scenarios. In these scenario-based attacks, the exercises should also include scenarios for regional, national, and global attacks.
Looking to the future, the Taskforce encouraged others in the healthcare industry to work on possible solutions. Among its recommendations for future work, the Taskforce recommended that a public-private forum should be established to further discussions of healthcare industry cybersecurity as the industry evolves.
 Section 405 of the Cybersecurity Act of 2015 was developed, in part, from the 2015 Congressional Ask #2: Support Healthcare’s Efforts to Combat Cyber Threats. Please see also HIMSS Posts 3 Congressional Asks, Healthcare IT News, Sept. 9, 2015.