June 22, 2017 - If recent news of the worldwide “WannaCry” ransomware attack that nearly brought the U.K.’s National Health Services to its knees hasn’t jolted healthcare organizations to take stock of their cybersecurity programs, perhaps the findings from a U.S. government-mandated task force on healthcare cybersecurity will. Following are just some of the many arguments for why healthcare entities, especially long-term and post-acute care providers, should take immediate steps to improve their security:
The majority of healthcare delivery organizations lack full-time qualified security personnel;
Equipment is running on old, unsupported, and vulnerable operating systems;
The “meaningful use” requirements have driven hyper-connectivity without security design and implementation; and
A number of healthcare systems are currently known to have security vulnerabilities and compromises that can shut down patient care within hours or even minutes of an attack.
The report was born of the Cybersecurity Act of 2015, which required Congress to establish the Health Care Industry Cybersecurity (HCIC) Task Force “to address the challenges the healthcare industry faces when securing and protecting itself against cybersecurity incidents, whether intentional or unintentional.”
The report offers additional reasons why healthcare organizations should ramp up security efforts around connectivity. In addition to the possibility of patient and treatment data being used to perpetrate fraud, identity theft, supply chain disruptions, hackers and viruses are not above manipulating stock and stealing research and data.
The point is that connectivity in healthcare is vital (and, dare we say, critical) but with more digital connectivity comes more complex systems—and the need for even more security.
Here are a few additional task force recommendations—which they call “imperatives”—stemming from its work over the last year:
Establish a “cybersecurity leader” role at the U.S. Department of Health and Human Services (HHS) to help guide cybersecurity efforts in the health care sector;
Increase the security and resilience of medical devices and health IT;
Create a healthcare version of the Cybersecurity Framework developed by the National Institute of Standards and Technology ;
Standardize cybersecurity laws and regulations affecting healthcare organizations
Adopt a more lenient approach to inadvertent security breaches so that sharing of information about breaches can be done without fear of regulatory sanctions;
Develop a healthcare workforce capacity that can prioritize and ensure cybersecurity awareness and technical capabilities;
Increase healthcare industry readiness by improving cybersecurity awareness and education; and
Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure.
The task force makes it abundantly clear that all healthcare delivery organizations have a “greater responsibility to secure their systems, medical devices, and patient data.” That said, the group recognizes that many organizations have resource constraints that pose challenges to addressing the risks and adoption of additional security measures.
In our next post, we will look at some resources providers can use to address cybersecurity concerns, prevent threats, and stay ahead of the game.
To learn how Collain Healthcare products and services can enhance your organization’s security efforts, click HERE.