On June 2, the Health Care Industry Cybersecurity Task Force issued a draft of its Report on Improving Cybersecurity in the Health Care Industry, an analysis of how to strengthen patient safety and data security in an increasingly connected world.
The Congressional report, which sums up the state of healthcare cybersecurity to be in “critical condition,” may shock outsiders, but should come as no surprise to those in the industry, who are well-aware of the challenges and have been awaiting the report as a preview of potential future government regulatory action.
The report lists six imperatives, along with several recommendations and action items. The recommendations bring to the forefront several issues facing the healthcare industry — most notably the risk to patient safety. That’s a departure from the traditional focus on privacy and data protection, and suggests a regulatory gap that needs to be addressed quickly.
The release of this report could not have been timelier, coming on the heels of the debilitating worldwide “WannaCry” ransomware attack that forced hospitals in England to cancel surgeries. Last week we published a flash report that takes a deeper look into the Task Force’s document.
We think that organizations should not wait for the government to initiate solutions. Instead, healthcare providers and medical device makers should proactively increase efforts to bolster cybersecurity to avoid potentially overreaching or misaligned legislation.
In our flash report, we recommend that healthcare providers consider the following actions, tied to key themes of the report:
THEME: (providers) Existing efforts are not enough and patient safety is at risk.
ACTION: Expand cybersecurity efforts to include patient safety.
Healthcare leaders should note the emphasis on patient safety and ensure their cybersecurity program has fully addressed risks that could result in patient safety issues, not just a data breach.
THEME: (providers) Legacy devices are a significant problem.
ACTION: Create a concrete plan for legacy devices.
Develop a plan to phase out or update insecure legacy devices and operating systems, ideally over the next five years, and implement compensating controls such as network segmentation, enhanced monitoring and application whitelisting in the next 12 months to help address the near-term risk.
THEME: (providers) Lack of standard cybersecurity practices.
ACTION: Start formally aligning to a cybersecurity framework.
The report recommends that the Department of Health and Human Services (HHS) develop a health-care specific framework based on the minimum standard of security provided by the NIST Cybersecurity Framework and the HIPAA Security Rule. Health care organizations should begin now to think about how they would align their controls to the NIST CSF standard.
THEME: (manufacturers) Lack of cybersecurity focus; software development lifecycle (SDLC) gaps.
ACTION: Expand cybersecurity efforts, focus on SDLC.
Manufacturers should use the report as an opportunity to determine whether their medical device security program is adequate, given the increased attention on this area and the risks highlighted in the report. Specifically, manufacturers should be able to demonstrate clear security inclusion from new product model requirements through product retirement.
THEME: (manufacturers) Legacy systems are a hot-button issue.
ACTION: Increase activities for reducing numbers of in-use legacy devices.
To avoid negative impacts, manufacturers should work with healthcare providers to reduce the number of potentially compromised medical devices, through customer education and incentives.
THEME: (manufacturers) Minimum cybersecurity standards for medical devices.
ACTION: Work with industry peers to develop a standard.
We anticipate that future FDA device approvals will be contingent on meeting minimum cybersecurity standards. With the typical device development process of five to seven years, manufacturers need to collaborate now to get ahead of regulations and avoid business disruption.
The task force took a year to complete its report, and the result is a very thorough look at the challenges facing healthcare security today. Healthcare providers and medical device manufacturers would be well-served by a careful review of the report to determine how the adoption of these recommendations might affect their organizations.
Download the Protiviti flash report here.