HHS Task Force Report: Healthcare Cybersecurity is in Critical Condition | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

HHS Task Force Report: Healthcare Cybersecurity is in Critical Condition

June 5, 2017
by Heather Landi
| Reprints
Click To View Gallery

The Department of Health and Human Services (HHS) Health Care Industry Cybersecurity Task Force, which was formed last year following passage of the Cybersecurity Act of 2015, issued its final report to Congress June 2 with a number of recommendations to improve cybersecurity across the industry.

The report states that “healthcare cybersecurity is in critical condition,” citing a severe lack of security talent, legacy equipment that runs on old, unsupported and vulnerable operating systems, vulnerabilities that impact patient care and an epidemic of known vulnerabilities. The report, developed by Task Force members comprised of government and private industry leaders, also cited “premature and over-connectivity” as an issue contributing to the critical state of cybersecurity. “Meaningful Use requirements drove hyper-connectivity without secure design and implementation,” the report authors wrote.

The Task Force is composed of 21 private and government leaders considered experts in healthcare cybersecurity. The Task Force held public meetings and consulted with other experts over the past year in order to develop recommendations to address the growing challenge posed by cyberattacks.

In the report issued to Congress, the Task Force emphasized that healthcare cybersecurity issues as patient safety issues, and the findings call for a collaborative public and private sector effort to protect the healthcare system and patients from cyber threats.

The Health Information Trust Alliance (HITRUST) a issued a statement praising the HHS Health Care Industry Cybersecurity Task Force’s report for bringing attention to security issues within the healthcare industry.

“The report makes clear that there are many steps which public and private partners must take to continue this progress. An important first step is to leverage the work HITRUST has done in developing a healthcare specific security and privacy framework (the HITRUST CSF) and fully support the work the Healthcare and Public Health Sector Coordinating Council (HPH-SCC) has completed (with HITRUST) in developing a healthcare specific implementation guide of the NIST Framework,” the organization stated.

Further, HITRUST wrote, “While the report highlights a number of shortfalls in the industry, the fact remains that companies must continue to invest in security and risk management and move from a compliance to risk management mindset.”

The Task Force report sets out six imperatives to improve cybersecurity, including improving information sharing of industry, threats, risks and mitigations and increasing health care industry readiness through improved cybersecurity awareness and education.

With regard to improving information sharing, the Task Force recommends streamlining information sharing for quick and efficient consumption, especially for small and medium-size organizations and providing security clearance for more members of the health care community to gain access to threat information.

The report also calls for defining and streamlining leadership, governance and expectations for health care industry cybersecurity. To this end, the Task Force recommends creating a cybersecurity leader role within HHS to align industry-facing efforts for health care cybersecurity as well as establishing a consistent, consensus-based healthcare-specific Cybersecurity Framework.

The report authors wrote, “Although NIST (National Institute of Standards and Technology) has developed a generic framework, health care (like other sectors) has many unique aspects such as its diverse resource capabilities, legacy systems that will persist for years, and the burden of the need to have low barriers for sharing of data that is essential for collaborative patient-oriented care. The framework should build upon the minimum standard of security required by the NIST Cybersecurity Framework and the HIPAA Security Rule to promote a single lexicon for health care sector as well as standards, guidelines, and best practices. The complex environment requires certain basic standards that all stakeholders must meet and guidelines that allow flexibility for select issues. Without this framework, any of the countless constituents may pose a risk to the health care ecosystem.”

The Task Force also calls for increasing the security and resilience of medical devices and health IT, with more specific recommendations including securing legacy systems, improving manufacturing and development transparency among developers and users and increasing adoption and rigor of the secure development lifecycle (SDL) in the development of medical devices and electronic health records (EHRs).

The Task Force also calls for establishing a Medical Computer Emergency Readiness Team (MedCERT) to coordinate medical device-specific responses to cybersecurity incidents and vulnerability disclosures.

The Task Force report findings also address healthcare cybersecurity workforce issues as one of the six imperatives is to develop the healthcare workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities. To this end, the Task Force recommends that every organization identify the cybersecurity leadership role for driving more robust cybersecurity policies, processes and functions with clear engagement from executives. And, the Task Force suggests establishing a model for adequately resourcing the cybersecurity workforce with qualified individuals.

“The prospect of supplying even one dedicated resource per organization currently looks daunting; however, managed services and contracted external resources/partners can enhance cybersecurity capability and services,” the report authors wrote, citing the example of the state of California starting the first safe patient ratio staffing system for registered nurses. That program evolved from a critical need to protect patients, nurses and health delivery organizations. “We find ourselves in a similar situation regarding cybersecurity,” the report authors wrote. “There is a need to determine a similar acceptable ratio of health care cybersecurity expertise to the size of the organization, complexity of care, degree of interconnectedness with other organizations, etc. The larger the organization, the more security professionals are required.”

To address the workforce gap, the Task Force also advises examining the impact of the Stark Law and Anti-Kickback regulations as well as leveraging managed security service providers (MSSPs) to develop a business and security model.

One of the six imperatives is to identify mechanisms to protect R&D efforts and intellectual property from attacks and exposure.

In a blog post, Steve Curren, director of the division of resilience in the Office of the Assistant Secretary for Preparedness and Response’s (ASPR) Office of Emergency Management, wrote about the Task Force report, “Today, much of healthcare is delivered by smaller practices and rural hospitals that may not have the resources to protect against these threats. Unfortunately, these organizations often do not possess the infrastructure to identify and track threats, lack the technical capacity to analyze the threat data they receive in order to quickly translate it into actionable information, and lack the capability to act on that information.

Further, Curren wrote, “The Office of the Assistant Secretary for Preparedness and Response understands that healthcare facilities are facing these challenges right now and we have developed a collection of peer-reviewed resources on cybersecurity to help healthcare industry stakeholders better protect against, mitigate, respond to, and recover from cyber threats, in order to better defend patient safety and operational continuity. 

“As called for by the Cybersecurity Information Sharing Act of 2015 the HHS Secretary is sharing educational materials on cybersecurity, including the Task Force’s report and appendix, with industry stakeholders to improve preparedness for and response to cybersecurity threats. The Health Care Industry Cybersecurity Task Force’s report contains valuable recommendations to help improve cybersecurity throughout the healthcare sector that ultimately could better protect patient care and public health,” Curren wrote.



Get the latest information on Cybersecurity and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Survey: Most Providers Say Interoperability by 2020 Not Attainable with Current Federal Policies

The majority of healthcare providers (71 percent) believe that current federal polices, committees and regulations are not sufficient to help the country attain meaningful health IT interoperability by 2020.

House Committee Presses Nuance Executives on NotPetya Attack

he U.S. House Energy and Commerce Committee is requesting that Nuance Communications executives provide more information about the malware incident, called NotPetya, that impacted the company, along with multinational companies in 65 countries, back in June.

Regenstrief Researchers to Study Impact of HIE on Emergency Care

Scientists at the Indianapolis-based Regenstrief Institute are conducting what they say is the first study of health information exchange (HIE) use over multiple years to evaluate whether it improves patient outcomes in emergency departments.

Report: Healthcare Organizations Struggle with Human Error in Securing PHI

In the first nine months of 2017, unintended disclosure accounted for 41 percent of healthcare data breach incidents, according to a report from specialist insurer Beazley.

Three More Providers Receive 2017 HIMSS Davies Awards

Three patient care organizations have received the 2017 global Healthcare Information and Management Systems Society (HIMSS) Enterprise Nicholas E. Davies Award of Excellence for healthcare technology innovations that improve patient outcomes.

Medtronic, American Well Team Up to Integrate Telehealth Capabilities

Medtronic and American Well announced a partnership to offer a telehealth solution focused on the unique needs of the complex, chronic, co-morbid patient population.