Dive Brief:
- The Health Care Industry Cybersecurity Task Force is urging the government to take a stronger lead in helping healthcare organizations boost cybersecurity, saying healthcare cybersecurity is in “critical condition,” Healthcare IT news reports.
- While the industry is working to update IT systems and safeguard patient information, many healthcare organizations lack the infrastructure to identify and track threats and the capacity to analyze and translate the data and act on the results, according to an 88-page report released Friday by the group. Many of these organizations also can’t afford an in-house cybersecurity team to monitor and respond to system vulnerabilities.
- The HHS task force report follows last month’s WannaCry attack that froze computers in hospitals across the United Kingdom.
Dive Insight:
As the attack last month showed, cybersecurity is a vital issues for hospitals and others in the industry. Last year, more than 27 million patients records were affected by data breaches, and other high-profile incidents this year indicate CIOs can't let their guard down. Breaches across the industry cost an estimated $6.2 billion a year.
Patients are aware of the issue, and most aren't willing to tolerate breaches. A recent Carbon Black survey found nearly 70% of consumers would consider leaving their healthcare provider if it was attacked by ransomware. But the solution has never been thought to be simple, and it's no surprise the new report says more resources and a lot more cooperation is needed to tackle the problem.
The report notes that improving healthcare cybersecurity will require a coordinated effort by federal agencies, Congress, healthcare providers, medical device companies, insurers and other industry stakeholders. The task force calls for additional federal resources to bolster cybersecurity, including a new federal point person on cybersecurity issues.
Federal requirement affecting cybersecurity also need to be streamlined and harmonized to ensure they don’t hamper organizations’ efforts to thwart cyberattacks, the report suggests.
The report includes a roadmap of imperatives that are needed to improve cybersecurity in healthcare:
- Define and streamline leadership, governance and expectations for healthcare industry cybersecurity
- Increase security and resilience of medical devices and health IT
- Develop the workforce capacity needed to prioritize and ensure cybersecurity awareness and technical capabilities
- Increase industry readiness through improved cybersecurity awareness and education
- Identify mechanisms to protect R&D and intellectual property from attacks or exposure
- Improve information sharing of threats, vulnerabilities and responses
In the meantime, hospitals should make sure they have working backups and should patch and upgrade all their systems immediately. The WannaCry attack that incapacitated more than 40 U.K. hospitals and affected more than 100 other countries could have been prevented with a routine patch that was released a couple of months before the attack.
“Patch updates are becoming extremely important, because hackers are responding to critical bugs immediately,” Kurt Osburn, a health IT security expert with ControlScan, told Healthcare Dive recently. “Healthcare organizations are high-value targets, which means their security and IT teams need to be extremely aware of what is happening in the wild and respond accordingly.”
In its report, the HHS task force notes more can be done to improve security of EHRs and medical devices, but providers must have freedom to manage and administer patches and other upgrades.