Federal task force calls cybersecurity a public health concern

Staffing problems and outdated equipment and software are healthcare’s top cybersecurity challenges, according to a June 2 report released by the Health Care Industry Cybersecurity Task Force, a federal task force established to fulfill requirements of the Cybersecurity Act of 2015.

The report analyzes and ranks cybersecurity threats to the healthcare industry. The most significant weaknesses identified in the report include the lack of full-time, qualified security staff, legacy equipment running on unsupported operating systems, and poor network security.

The task force also warned of the impact of poor cybersecurity on patients in today’s increasingly networked environment. Ransomware and other devastating malware attacks are on the rise. These attacks can shut down a hospital, putting patients in jeopardy and transforming cybersecurity into a public health crisis. Despite this, security officers often struggle to demonstrate the value of strong cybersecurity to the C-suite.

The task force identified six goals that it believes will improve cybersecurity in the industry:

• Define and streamline leadership, governance, and expectations for cybersecurity
• Identify strategies to protect research and development efforts and intellectual property from attacks or exposure
• Improve information sharing of industry threats, weaknesses, and mitigations
• Improve staffing necessary to prioritize and ensure cybersecurity awareness and technical capabilities
• Increase cybersecurity awareness and education
• Increase the security and resilience of medical devices and health IT

Each goal includes recommendations and practical steps organizations can take to implement them. For example, the third goal focuses on developing and recruiting staff, defining cybersecurity leadership, and creating cybersecurity solutions for small- and medium-sized organizations that may not be able to support full-time cybersecurity staff. This goal is broken down into four recommendations:

• Create managed security service providers for small- and medium-sized organizations
• Define the cybersecurity leadership role
• Establish a cybersecurity staffing ratio benchmark
• Move patient records from unsecure legacy systems to modern, secure environments

Action items suggest practical steps and suggestions organizations and the federal government can follow to meet each recommendation. The task force’s recommendation to transfer patient records to secure environments includes suggestions such as federal incentive programs and development of industry standards to support small- and medium-sized organizations.