HHS Cybersecurity Report Cites Patient Safety Concerns

Ken Terry

June 05, 2017

The US Department of Health and Human Services (HHS) has released an 88-page report on how to improve cybersecurity in healthcare. The report, required by the Cybersecurity Act of 2015, addresses the needs of small and medium-sized organizations, including physician practices, but doesn't estimate how much the suggested improvements in data security might cost them.

The cybersecurity task force that compiled the report included representatives of the federal government, hospitals, insurers, patient advocates, security firms, pharmaceutical companies, medical device manufacturers, health information technology (IT) developers and vendors, and laboratories.

Citing the growing number of ransomware attacks and major security breaches in healthcare, the report noted that "Health care cybersecurity is a key public health concern that needs immediate and aggressive attention."

The task force identified six major imperatives for improving cybersecurity:

  1. Define and streamline leadership, governance, and expectations for healthcare industry cybersecurity;

  2. Increase the security and resilience of medical devices and health IT;

  3. Develop the healthcare workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities;

  4. Increase healthcare industry readiness through improved cybersecurity awareness and education;

  5. Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure;

  6. Improve information sharing of industry threats, weaknesses, and mitigations.

In addition, the task force emphasized the need to streamline and harmonize federal and state regulations that may get in the way of cybersecurity. For example, the report urged Congress to "explore potential impacts of the Physician Self-Referral Law and the Anti-Kickback Statute on collaborative industry cybersecurity efforts and identify potential modifications or exemptions as appropriate."

The task force also suggested that HHS's Office of Civil Rights lighten up on enforcement of the Health Insurance Portability and Accountability Act (HIPAA), which can discourage healthcare organizations from admitting to security breaches.

Three Key Challenges

Among the challenges that healthcare organizations should address to identify and respond to cyber attacks, three of those cited by the task force stand out. First, many healthcare organizations are using legacy systems that have numerous security holes, but they can't afford to replace the systems. Second, the increasing connectivity of healthcare systems through the Internet increases their exposure to cyber attack. And third, small and medium-sized providers, including most independent practices, can't afford to hire security experts or pay for advanced security software on their own.

One solution to the latter dilemma, the report suggested, is for small and medium-sized organizations to retain managed security service providers, or MSSPs, which are firms that consult with many different clients. In essence, MSSPs provide shared security services that, in theory, should be less expensive than hiring professional security personnel. The report urged the federal government to encourage MSSPs to "achieve economies of scale."

The task force also recommended that small and medium-sized providers consider migrating their patient records and legacy systems to hosted environments in the cloud. "By moving to a secure cloud environment, health care providers will have increased security and the ability to effectively use their clinical resources to support patients without having to worry about maintaining their on-premises infrastructure and systems," the report said.

To address cybersecurity across the industry, the report recommended that HHS create a new position for a healthcare cybersecurity leader. This "security czar" would provide a single source of guidance for industry, preventing duplication and confusion and promoting consistent cyber incident responses within the industry. The HHS cybersecurity leader would also improve collaboration with other federal agencies and with the private sector.

The report devoted considerable space to the need to improve the security of medical devices and their connections with electronic health records. Although the hacking of medical devices has been rare up to now, the task force viewed this as a critical patient safety concern. The report suggested that device vendors be required to reveal known security risks to potential customers, that two-factor authentication be used for external access to devices, and that providers establish a medical computer emergency readiness team to coordinate device-specific responses to cybersecurity incidents and vulnerability disclosures.

The report noted that there is a nationwide deficit of cybersecurity talent across all industries. It recommended that Congress appropriate money for more training programs for these professionals. However, even if the number of professionals in training increases, the report said, those who go into those programs this year won't be ready to join the workforce until 2021.

For more news, join us on Facebook and Twitter


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.
Post as: