HHS Task Force Report: Healthcare Cybersecurity is in Critical Condition | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

HHS Task Force Report: Healthcare Cybersecurity is in Critical Condition

June 5, 2017
by Heather Landi
| Reprints
Click To View Gallery

The Department of Health and Human Services (HHS) Health Care Industry Cybersecurity Task Force, which was formed last year following passage of the Cybersecurity Act of 2015, issued its final report to Congress June 2 with a number of recommendations to improve cybersecurity across the industry.

The report states that “healthcare cybersecurity is in critical condition,” citing a severe lack of security talent, legacy equipment that runs on old, unsupported and vulnerable operating systems, vulnerabilities that impact patient care and an epidemic of known vulnerabilities. The report, developed by Task Force members comprised of government and private industry leaders, also cited “premature and over-connectivity” as an issue contributing to the critical state of cybersecurity. “Meaningful Use requirements drove hyper-connectivity without secure design and implementation,” the report authors wrote.

The Task Force is composed of 21 private and government leaders considered experts in healthcare cybersecurity. The Task Force held public meetings and consulted with other experts over the past year in order to develop recommendations to address the growing challenge posed by cyberattacks.

In the report issued to Congress, the Task Force emphasized that healthcare cybersecurity issues as patient safety issues, and the findings call for a collaborative public and private sector effort to protect the healthcare system and patients from cyber threats.

The Health Information Trust Alliance (HITRUST) a issued a statement praising the HHS Health Care Industry Cybersecurity Task Force’s report for bringing attention to security issues within the healthcare industry.

“The report makes clear that there are many steps which public and private partners must take to continue this progress. An important first step is to leverage the work HITRUST has done in developing a healthcare specific security and privacy framework (the HITRUST CSF) and fully support the work the Healthcare and Public Health Sector Coordinating Council (HPH-SCC) has completed (with HITRUST) in developing a healthcare specific implementation guide of the NIST Framework,” the organization stated.

Further, HITRUST wrote, “While the report highlights a number of shortfalls in the industry, the fact remains that companies must continue to invest in security and risk management and move from a compliance to risk management mindset.”

The Task Force report sets out six imperatives to improve cybersecurity, including improving information sharing of industry, threats, risks and mitigations and increasing health care industry readiness through improved cybersecurity awareness and education.

With regard to improving information sharing, the Task Force recommends streamlining information sharing for quick and efficient consumption, especially for small and medium-size organizations and providing security clearance for more members of the health care community to gain access to threat information.

The report also calls for defining and streamlining leadership, governance and expectations for health care industry cybersecurity. To this end, the Task Force recommends creating a cybersecurity leader role within HHS to align industry-facing efforts for health care cybersecurity as well as establishing a consistent, consensus-based healthcare-specific Cybersecurity Framework.

The report authors wrote, “Although NIST (National Institute of Standards and Technology) has developed a generic framework, health care (like other sectors) has many unique aspects such as its diverse resource capabilities, legacy systems that will persist for years, and the burden of the need to have low barriers for sharing of data that is essential for collaborative patient-oriented care. The framework should build upon the minimum standard of security required by the NIST Cybersecurity Framework and the HIPAA Security Rule to promote a single lexicon for health care sector as well as standards, guidelines, and best practices. The complex environment requires certain basic standards that all stakeholders must meet and guidelines that allow flexibility for select issues. Without this framework, any of the countless constituents may pose a risk to the health care ecosystem.”

The Task Force also calls for increasing the security and resilience of medical devices and health IT, with more specific recommendations including securing legacy systems, improving manufacturing and development transparency among developers and users and increasing adoption and rigor of the secure development lifecycle (SDL) in the development of medical devices and electronic health records (EHRs).

The Task Force also calls for establishing a Medical Computer Emergency Readiness Team (MedCERT) to coordinate medical device-specific responses to cybersecurity incidents and vulnerability disclosures.

The Task Force report findings also address healthcare cybersecurity workforce issues as one of the six imperatives is to develop the healthcare workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities. To this end, the Task Force recommends that every organization identify the cybersecurity leadership role for driving more robust cybersecurity policies, processes and functions with clear engagement from executives. And, the Task Force suggests establishing a model for adequately resourcing the cybersecurity workforce with qualified individuals.

“The prospect of supplying even one dedicated resource per organization currently looks daunting; however, managed services and contracted external resources/partners can enhance cybersecurity capability and services,” the report authors wrote, citing the example of the state of California starting the first safe patient ratio staffing system for registered nurses. That program evolved from a critical need to protect patients, nurses and health delivery organizations. “We find ourselves in a similar situation regarding cybersecurity,” the report authors wrote. “There is a need to determine a similar acceptable ratio of health care cybersecurity expertise to the size of the organization, complexity of care, degree of interconnectedness with other organizations, etc. The larger the organization, the more security professionals are required.”

To address the workforce gap, the Task Force also advises examining the impact of the Stark Law and Anti-Kickback regulations as well as leveraging managed security service providers (MSSPs) to develop a business and security model.

One of the six imperatives is to identify mechanisms to protect R&D efforts and intellectual property from attacks and exposure.

In a blog post, Steve Curren, director of the division of resilience in the Office of the Assistant Secretary for Preparedness and Response’s (ASPR) Office of Emergency Management, wrote about the Task Force report, “Today, much of healthcare is delivered by smaller practices and rural hospitals that may not have the resources to protect against these threats. Unfortunately, these organizations often do not possess the infrastructure to identify and track threats, lack the technical capacity to analyze the threat data they receive in order to quickly translate it into actionable information, and lack the capability to act on that information.

Further, Curren wrote, “The Office of the Assistant Secretary for Preparedness and Response understands that healthcare facilities are facing these challenges right now and we have developed a collection of peer-reviewed resources on cybersecurity to help healthcare industry stakeholders better protect against, mitigate, respond to, and recover from cyber threats, in order to better defend patient safety and operational continuity. 

“As called for by the Cybersecurity Information Sharing Act of 2015 the HHS Secretary is sharing educational materials on cybersecurity, including the Task Force’s report and appendix, with industry stakeholders to improve preparedness for and response to cybersecurity threats. The Health Care Industry Cybersecurity Task Force’s report contains valuable recommendations to help improve cybersecurity throughout the healthcare sector that ultimately could better protect patient care and public health,” Curren wrote.



2018 Seattle Health IT Summit

Renowned leaders in U.S. and North American healthcare gather throughout the year to present important information and share insights at the Healthcare Informatics Health IT Summits.

October 22 - 23, 2018 | Seattle


PODCAST: AHA's Cybersecurity Leader John Riggi on the Evolving Cyber Threats Facing Healthcare

August 17, 2018
by Heather Landi, Associate Editor
| Reprints
Riggi believes the cyber threats against healthcare are increasing in severity, complexity and frequency
Click To View Gallery


Within the healthcare industry, cyber threats are constantly evolving as the threat landscape changes, and executive leaders at patient care organizations all face the same daunting challenge of protecting information systems and patient data.

A recent report found that cyberthreats are continuing to increase and shift, and even though ransomware attacks are significantly declining, cyberattacks overall are on the rise. A Protenus Breach Barometer report found that 3 million patient records were breached in the second quarter of 2018 alone. At the same time, an IBM Security study found that the cost of a data breach for healthcare organizations continues to rise, from $380 per record last year to $408 per record this year. Overall, the healthcare industry continues to incur the highest cost for data breaches compared to any other industry.

Another report based on a survey of hackers uncovered some alarming results: about a quarter of hackers surveyed say they can complete a breach of a hospital or healthcare organization under five hours.

On top of all that, recent high-profile healthcare cybersecurity incidents in the past few months serve as a stark reminder that the healthcare industry continues to be a ripe target for attacks. One cyber attack on Singapore’s public health system, SingHealth, breached the records of 1.5 million people and targeted the country’s prime minister. The breach impacted about a quarter of Singapore’s population of 5.6 million people.

John Riggi, who serves in the newly created role of senior advisor for cybersecurity and risk with the American Hospital Association (AHA), sees the  cyber threats against healthcare increasing in severity, complexity and frequency. Prior to his role at AHA, Riggi spent nearly 30 years with the FBI, including in the cyber division.

Riggi dives into the evolving cyber threats facing the healthcare industry right now, including sophisitcated criminal organizations, nation-state actors and cryptocurrency mining malware. Case in point, the incident of cryptocurrency mining on healthcare networks and other critical infrastructure networks increased by 1,000 percent from late 2017 to the present, Riggi says. He also discusses the implications of recent high-profile cyber incidents such as the hack at SingHealth.

The podcast runs about 13 minutes in length. You can listen to all Healthcare Informatics podcasts right here.

More From Healthcare Informatics


Who Can Healthcare Trust When Ransomware Hits?

Please register to download

WannaCry and Petya caused business impact for several organizations and in both cases the damage was largely mitigated across the industry. This information is widely known.

What is not widely known is what the role of information sharing was between private industry and the public sector specifically between the NH-ISAC Threat Intelligence Committee members (TIC) and the HHS Healthcare Cybersecurity Communications and Integration Center (HCCIC).

Related Insights For: Cybersecurity


Report: More than 3M Patient Records Breached in Second Quarter of 2018

August 8, 2018
by Heather Landi
| Reprints
Click To View Gallery

More than 3.14 million patient records were breached in 142 disclosed health data breach incidents during a three-month span from April to June 2018, according to new data released in the Protenus Breach Barometer.

Published by Protenus, a cybersecurity software company that issues a Breach Barometer report each month, the latest data showed that in the second quarter of 2018 the number of affected patient records almost tripled from those reported in the first quarter of this year (1.13 million patient records).

Protenus and DataBreaches.net compiled the report using health data breaches reported to the U.S. Department of Health and Human Services (HHS) or to the media. The data found that there were several large data breach incidents during the second quarter, including a theft incident in April involving a Sacramento-based office of the Department of Developmental Services, affecting 582,000 patient records, and a hacking incident at a healthcare provider in May that impacted 566,000 patient records.

For incidents disclosed to the HHS or the media, insiders were responsible for 30.9 percent of the total number of breaches in Q2 2018 (44 incidents). Details were disclosed for 27 of those incidents, affecting 421,180 patient records (13.4 percent of total breached patient records).

The report notes an interesting trend with regard to insider breach incidents. In Q2 2018, 29.7 percent of privacy violations were repeat offenders. “This evidence indicates health systems accumulate risk that compounds over time if proper reporting and education do not occur. On average, if an individual healthcare employee breaches patient privacy once, there is a greater than 30 percent chance that they will do so again in three months’ time, and a greater than 66 percent chance they will do so again in a years’ time,” the report states.

The report authors note, “In other words, even minor privacy violations that are not promptly detected and mitigated, have the potential to compound risk over time.”

The Breach Barometer report data also shows that each hospital investigator is responsible for monitoring the electronic access of an average of 4,000 active EHR users in Q2 2018, underscoring that manual audit processes, like ad-hoc or random audits, are insufficient to monitor such a large population, each of whom accesses multiple medical records per day.

Nine out of 1,000 employees breach patient privacy, and family member snooping is the most common insider-threat violation (71.4 percent of violations), the Protenus data found.

Protenus data estimated that on average, 9.21 healthcare employees breach patient privacy per every 1,000 employees. This increase, from what was reported in Q1 2018, is due to healthcare privacy teams better leveraging advanced analytics, and proactively detecting more incidents, according to the report.

There were 25 publicly disclosed incidents that involved insider-error between April and June 2018. Details were disclosed for 14 of these incidents, affecting 343,036 patient records. In contrast, 18 incidents involved insider-wrongdoing, with data disclosed for 13 of these incidents. There was a substantial increase of breached patient records as a result of insider-wrongdoing.  In Q1 2018, there were only 4,597 affected patient records, while in Q2 2018, there were 70,562 affected patient records.

Looking at external threats, hacking continues to threaten healthcare organizations in 2018, with an increase in incidents in the second quarter. Between January and March, there were 30 hacking incidents, however, between April and June 2018 there have been a total of 52 incidents (36.6 percent of all Q2 2018 publicly disclosed incidents). Details were disclosed for 44 of those incidents, which affected 2 million patient records.

Of the 143 disclosed health data breaches that occurred between April and June 2018, 99 of them (76 percent of total incidents) were disclosed by a healthcare provider, 15 were disclosed by a health plan, 18 were disclosed by a business associate or third-party vendor, and ten were disclosed by businesses or other organizations.

Even though most healthcare organizations have already switched over to digitized patient records, 23 breach incidents still involved paper records.

The Protenus data also reported that, of the 142 health data breaches for which data was disclosed, it took an average of 204 days from when the breach occurred to when it was discovered. The median discovery time was 18 days. There was a wide variety in the data, with the shortest discovery time of one day and the longest of 1,587 days (4.35 years).

In conclusion, the Protenus report notes that the average cost per breached record has increased 6.4 percent ($408 per record) over last year. “Healthcare organizations must remain vigilant, looking for best practices in healthcare privacy that will allow them to audit every access to their patient data. Full visibility into how their data is being accessed and used will help organizations secure patient trust while preventing data breaches from having costly consequences for their organization,” the report states.


See more on Cybersecurity ...