In early June 2017, the U.S. Department of Health and Human Services (HHS) Health Care Industry Cyber security (HCIC) Task Force released the “Report on Improving Cyber Security in the Health Care Industry” (the “Report”). The Report provides six primary recommendations for government and health care organizations to “help increase security across the health care industry.” It describes the health care industry’s cyber security issues as patient safety issues and emphasizes that all health care delivery organizations have a greater responsibility to secure their systems, medical devices, and patient data. The release of the Report is particularly timely in the wake of the ransomware attack in May that crippled hospitals and health systems in the United Kingdom and other businesses and industries across the globe. Cyber security planning is important for all industries, including participants in the health care delivery system—providers, payors, pharmaceutical companies, medical device manufacturers, and vendors.
The HCIC Task Force concluded that cyber security has become “a key public health concern that needs immediate and aggressive attention.” In its report, it cited various contributing factors including the need to access patient information and share data quickly, the increasing volume of connected medical devices, and the digitalization of patient data in electronic health record systems (EHRs). Health care’s mission of helping patients—as many patients as quickly as possible in order to avoid bad clinical outcomes—presents privacy and security challenges that are unique to this industry.
The Report’s six recommendations to increase security, with corresponding action items for government and the health care industry, are listed below:
1. Define and streamline leadership, governance, and expectations for health care industry cyber security.
HHS should create a cyber security leader position to coordinate health care cyber security activities within HHS, establish a health care-specific Cyber Security Framework, and require federal regulatory agencies to harmonize existing and future health care cyber security laws. Congress should explore potential impacts to federal fraud and abuse laws (i.e., the Stark Law and Anti-Kickback Statute), if sharing of cyber security resources is permitted.
2. Increase the security and resilience of medical devices and health information technology (IT).
Health care delivery organizations should secure legacy systems, require strong authentication, and employ approaches to reduce the areas where vulnerabilities can be exploited by a hacker (known as the “attack surface”) for medical devices and EHRs. Federal agencies should establish a team (MedCERT) to coordinate medical device-specific cyber security.
3. Develop the health care workforce capacity necessary to prioritize and ensure cyber security awareness and technical capabilities.
Every organization should identify cyber security leadership, and the industry should establish a model for hiring. The federal government should create managed security services provider (MSSP) models to support small and medium-sized providers, and these providers should evaluate options to migrate patient records and legacy systems to secure environments.
4. Increase health care industry readiness through improved cyber security awareness and education.
The industry should ensure existing and new products/systems risks are managed securely. HHS should work with the National Institute of Standards and Technology (NIST), implement an education campaign, and provide patients with information on how to manage their health care data.
5. Identify mechanisms to protect R&D efforts and intellectual property from attacks or exposure.
The federal government should develop guidance on how to create an economic impact analysis describing cyber security risk. Entities that manage big data solutions should pursue research into protecting health care big data sets.
6. Improve information sharing of industry threats, risks, and mitigations.
HHS and the industry should broaden information sharing, including small and medium-size health care organizations, and create more effective mechanisms for disseminating and utilizing data. Health care delivery organizations should implement cyber security incident response plans that are reviewed and tested annually.
The HCIC Task Force was created as part of the Cyber Security Act of 2015 to “address the challenges the health care industry faces when securing and protecting itself against cyber security incidents.” The HCIC Task Force’s directives include analyzing how other industries have implemented cyber security strategies and safeguards, analyzing cyber challenges to private entities in the health care industry, and reviewing challenges in securing networked medical devices and other software or systems that connect to an EHR. According to the HHS, the HCIC Task Force was composed of government and private industry leaders who are innovators in technology and leaders in health care cyber security. The HCIC Task Force held public meetings and consulted with other experts over the past year in order to develop the recommendations.
The full Report may be found here: Report on Improving Cyber Security in the Health Care Industry.
With the increasing use of and reliance on electronic data and the sophistication of hackers, it is imperative that businesses across the health care delivery system take steps to secure health care data, including confirming the compliance and efficacy of HIPAA Security Rule programs.