Early last year, in response to the Cybersecurity Act of 2015, the US Department of Health and Human Services (HHS) established The Health Care Industry Cybersecurity Task Force. This month the task force published its recommendations to improve healthcare cybersecurity.
While non-binding (today), the recommendations should be considered a heads up to health care organizations, “covered entities” (in the words of HIPAA), and device manufacturers. Let’s take a look at some of the challenges and advice from the task force for improving healthcare cybersecurity.
From a security standpoint, the healthcare industry shares the same shortcomings as other enterprises, but with some added obstacles:
Most importantly, particularly in the healthcare provider market, users are focused on providing “care” 24x7x365, and this care can be extremely time sensitive. For example, timing out log-ins may be a good security practice, but can delay a practitioner’s access to critical information.
The Task Force’s job was not simple, but they were able to distill their recommendations into the six “imperatives” (obviously abbreviated) below.
As in industry, security initiatives require top-down support. In this case, the recommendation is for HHS to create a cybersecurity leader role. This role provides sufficient authority to that leader to work with and direct other agencies, and serve as a point person to “harmonize existing and future laws and regulations that affect health care industry cybersecurity.” Further, they set a goal of creating a cybersecurity framework for use across all healthcare verticals.
This imperative addresses device and application security, in particular dealing with vulnerabilities in device software. In addition to recommendations for more rigorous software development life cycles (SDLCs), it recognizes the increased use of third-party software — in particular open source software — and the requirement for visibility to vulnerabilities.
This effort starts, obviously, with visibility to the components used. Imperative 2 requires transparency from manufacturers and developers in the form of a “’bill of materials’ that describes its components (e.g., equipment, software, open source, materials), as well as any known risks associated with those components to enable health care delivery organizations to more quickly determine if they are impacted.”
Again, like other industries, security awareness is recognized as beneficial to all. This imperative extends Imperative 1 to recommend similar top-down leadership for internal security efforts. Recognizing the staffing limitations in smaller organizations, it also recommends that the industry support the creation of managed security service providers (MSSPs) .
This includes education within organizations, from Board-level roles down. It also includes consumer education, to help protect personal health information and recognize illegitimate attempts to access information (e.g., phishing attacks).
The United States is a market leader in healthcare technology. Protecting that IP from counterfeiting and theft should increase patient safety and encourage further investment.
The financial services industry, through FS-ISAC, has been successful in improving industry-wide security through information sharing. A similar effort in healthcare would help everyone involved.
The recent WannaCry ransomware attacks proved that hospitals are vulnerable. The fact that these attacks could have been prevented by patching for known vulnerabilities in Microsoft products drives home the need to have visibility to vulnerabilities, and plans to update vulnerable applications and components.
To further emphasize the need, we recently saw a report detailing thousands of vulnerabilities in implantable pacemakers. Billy Rios, one of the researchers in the study, previously disclosed major vulnerabilities in drug infusion pumps.
The timing of the Task Force’s report is good. We now hope to see the government and industry embrace the recommendations.