The conclusions in the report that the Health Care Industry Cybersecurity Task Force of the Department of Health and Human Services (HHS) released to Congress on June 2 were a bit like the conceptual equivalent of a slow-moving hurricane—devastating, but long predicted. Stating that “healthcare cybersecurity is in critical condition,” the report’s authors cited a severe lack of security talent, legacy equipment that runs on old, unsupported and vulnerable operating systems, vulnerabilities that impact patient care and an epidemic of known vulnerabilities. The report, developed by Task Force members comprised of government and private industry leaders, also cited “premature and over-connectivity” as an issue contributing to the critical state of cybersecurity. “Meaningful Use requirements drove hyper-connectivity without secure design and implementation,” the report’s authors wrote.
The report, entitled “Report on Improving Cybersecurity in the Health Care Industry,” is very much worth reading, in any case. As its authors note, “Now more than ever, all health care delivery organizations… have a greater responsibility to secure their systems, medical devices, and patient data. Most health care organizations face significant resource constraints as operating margins can be below one percent. Many organizations cannot afford to retain in-house information security personnel, or designate an information technology (IT) staff member with cybersecurity as a collateral duty. These organizations often lack the infrastructure to identify and track threats, the capacity to analyze and translate the threat data they receive into actionable information, and the capability to act on that information.” Importantly, they note that “Many organizations also have not crossed the digital divide in not having the technology resources and expertise to address current and emerging cybersecurity threats. These organizations may not know that they have experienced an attack until long after it has occurred. Additionally, both large and small health care delivery organizations struggle with numerous unsupported legacy systems that cannot easily be replaced (hardware, software and operating systems) with large numbers of vulnerabilities and few modern countermeasures. Industry will need to dramatically reduce the use of less defensible legacy and unsupported products, and more effectively reduce risk in future products through robust development and support strategies.”
Also importantly, the report’s authors note that,” With the exception of IT security personnel, many providers and other health care workers often assume that the IT network and the devices they support function efficiently and that their level of cybersecurity vulnerability is low. Recent high-profile incidents, such as ransomware attacks and large-scale privacy breaches, have shown this vulnerability assumption to be false and provided an opportunity to increase education and awareness about the benefits of cybersecurity in the health care community. Moreover, recent ransomware incidents have also highlighted how patient care at health care delivery organizations can be interrupted due to a system compromise. Members of the health ecosystem reported that prior to these breaches many security professionals had difficulty demonstrating the importance of cyber protections to organizational leadership, including how risk mitigation can save money and protect against reputational damage in the long-term. Making the decision to prioritize cybersecurity within the health care industry requires culture shifts and increased communication to and from leadership, as well as changes in the way providers perform their duties in the clinical environment. Thus, health care cybersecurity is a key public health concern that needs immediate and aggressive attention.”
On a practical level, the Task Force’s report sets out six imperatives for action. They are:
1. Define and streamline leadership, governance, and expectations for health care industry
2. Increase the security and resilience of medical devices and health IT.
3. Develop the health care workforce capacity necessary to prioritize and ensure
cybersecurity awareness and technical capabilities.
4. Increase health care industry readiness through improved cybersecurity awareness and
5. Identify mechanisms to protect research and development efforts and intellectual property
from attacks or exposure.
6. Improve information sharing of industry threats, weaknesses, and mitigations
On one level, these are all very obvious, and are all elements that every CIO of every patient care organization should already know and understand. But on a deeper level, they actually aren’t that obvious, at least not in their execution.
Here’s the thing: the proportion of patient care organizations across the U.S. that are truly cybersecurity-prepared remains very small overall. Of course, organizations all over the place across a spectrum. But certainly, far less than a majority are prepared for any but the most elementary kinds of attacks, and very, very few are prepared in the areas of medical device connectivity, workforce readiness, or heavy-duty hacker threats.