Health Care Cybersecurity Is Not in Good Health
According to the Health Care Industry Cybersecurity (HCIC) Task Force, cybersecurity in the health care industry is in critical condition. The expertise and resources required to adequately protect the cybersecurity health care infrastructure has lagged behind the rapid advances in digitization of systems and records. While health organizations accelerated the widespread adoption of electronic health records (EHR) in order to capture government subsidies, they focused primarily on the hardware and software aspects of that integration, rather than the security components. Although the Health Insurance Portability and Accountability Act (HIPAA) has required covered entities and others to safeguard protected health information, the HCIC Task Force found that many providers lacked the expertise and resources to properly comply. In addition, the complex regulatory environment has both burdened and created gaps in the health care industry, with a multitude of regulators within the Department of Health and Human Services (e.g. Office for Civil Rights, Centers for Medicare & Medicaid Services, Food and Drug Administration), as well as the Federal Trade Commission, imposing sometimes vague and redundant directives but at the same time leaving unaddressed emerging health care areas, such as medical devices, operating on advanced technology.
The risks caused by inadequate cybersecurity in the health care industry are particularly concerning because of the valuable nature of health records and the interconnectedness of health information systems. Unlike other types of personal information like credit card and bank account numbers that can be changed if compromised, health care data does not change and has value to cyber attackers that may increase over time. Moreover, regulations have pushed interoperability of EHR applications in order to create efficiencies and better service delivery from providers and greater access to patients to their health data. This has increased the “attack surface of the health information system” as those that access medical records, as well as the devices and applications that connect to them, increase. The increasing interconnectedness of health information systems creates vulnerabilities to the entire system because it will only be as secure as its weakest link.
The HCIC Task Force has recommended the prioritization of six high-level measures in order to address the vulnerabilities in health care cybersecurity:
Define and streamline leadership, governance, and expectations for health care industry cybersecurity.
Increase the security and resilience of medical devices and health IT.
Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
Increase health care industry readiness through improved cybersecurity awareness and education.
Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure.
Improve information sharing of industry threats, risks, and mitigations.
While several of these are directed at the broader health care industry and infrastructure, health care organizations can take heed of those recommendations calling for more dedicated resources and increasing awareness and education in order to improve cybersecurity readiness. Health organizations should inventory their IT systems and EHR applications. Moreover, the HCIC Task Force recommends the use of the NIST Cybersecurity Framework to assess a health care organization’s cybersecurity risk environment. Importantly, board and executive level understanding of, and commitment to, cybersecurity will help drive some of the increases in security and development of a necessary workforce equipped to address the growing vulnerabilities in health care cybersecurity. What is clear is that the health of cybersecurity in the health care industry will not improve without increased focus and resources from all parties involved. Reecent attacks like the Wanna Cry virus, which took advantage of the vulnerabilities in the industry, highlight the importance of making those improvements.