New Report Identifies Cybersecurity Challenges In Health Care

The Health Care Industry Cybersecurity Task Force (Task Force) recently issued a report on guidance and preparedness for those in the health care industry in response to increasing and expanding cybersecurity threats. The Task Force, formed under Section 1533 of the Cybersecurity Information Sharing Act of 2015 (CISA), was charged upon its formation with examining the cybersecurity risks faced specifically by the health care industry, identifying who will coordinate and lead Task Force efforts, how divisions will divide responsibilities, and how best to communicate with one another.

Congress enacted CISA in response to the increasing number of data breaches, hacking schemes, and ransomware attacks in all industries, and with the intention of encouraging the sharing of cyber threat information across the board in an effort to combat these issues. However, the health care industry’s regulatory and administrative complexity poses a very unique challenge to CISA’s purpose. Although CISA technically preempts the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), there are still countless potential barriers to successfully sharing cyber threat information and combatting these threats.

The CISA report has identified the following potential barriers faced by the health care industry: the expense of in-house information security personnel or IT staff; lack of infrastructure related to identification, tracking, and ability to prevent threats; lack of information regarding new technology threats; unsupported legacy systems; lack of awareness regarding vulnerability; and historic low prioritization of cybersecurity. The report then uses those potential barriers to identify its “high-level imperatives by which to organize its recommendations and action items . . .,” which are as follows:

  1. Define and streamline leadership, governance and expectations for health care industry cybersecurity.
  2. Increase the security and resilience of medical devices and health IT.
  3. Develop the heath care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
  4. Increase health care industry readiness through improved cybersecurity awareness and education.
  5. Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure.
  6. Improve information sharing of industry threats, weaknesses, and mitigations.

The Task Force found that the health care industry requires its own single source for sharing cybersecurity threats and a single reporting framework for doing so – because the industry is both too complex and too distinct from all other industries to be addressed by a mainstream leader or framework used by other industries. Specifically cited in the report as potential barriers to the success of a plan or framework are the Stark Law and the Anti-Kickback Statute, which the report suggests may need an amendment for cybersecurity software that would allow health care organizations to assist physicians in obtaining needed technology. The report also calls on Congress and the Centers for Medicare and Medicaid Services (CMS) to allow for greater integration and provide for greater protection and for IT vendors and medical device manufacturers to play their part in helping to provide better security and integration.

In conclusion, the report states that it is time for a new way of thinking in the industry. It will now be the norm to budget more for IT staff and maintenance and the operation of electronic health records, and a coordinated effort to protect data – not just your data, but all data. The points made in the report stress the importance both of compliance with existing law, but also of being proactive in the fight against cyber threats in general. The more done to prevent any form of cyber attack beforehand, the less likely a cyber attack is to occur in the first place.

The report can be accessed here: Report on Improving Cybersecurity in the Health Care Industry