Early last year, in response to the Cybersecurity Act of 2015, the US Department of Health and Human Services (HHS) established The Health Care Industry Cybersecurity Task Force. This month the task force published its recommendations to improve healthcare cybersecurity.
While non-binding (today), the recommendations should be considered a heads up to health care organizations, “covered entities” (in the words of HIPAA), and device manufacturers. Let’s take a look at some of the challenges and advice from the task force for improving healthcare cybersecurity.
Healthcare is a Different Environment
From a security standpoint, the healthcare industry shares the same shortcomings as other enterprises, but with some added obstacles:
- They lack security resources and expertise, and often the availability of money to correct this weakness.
- They are dealing with an extremely heterogeneous environment. While healthcare organizations may standardize on laptops and IT servers, providers also manage multiple devices that are attached to the network. These can include drug infusion pumps, imaging devices like MRI and CT scanners, and treatment software such as that used to manage implantable pacemakers.
- Their systems may not play well with each other. They have multiple business units, like other large organizations, and each organizations makes choices about the software solutions that best meet their needs. Electronic Health Records (EHRs) promise to help practitioners and patients by simplifying the sharing of information. When the federal government applied incentives for (ok, mandated) the adoption of EHR, healthcare organizations were inundated with choices. Let’s be clear, EHR is not plug-and-play software. It requires a lot of work to implement and maintain. As Figure 1 shows, EHR adoption increased from 9.4% in 2008 to 96% in 2015.
Most importantly, particularly in the healthcare provider market, users are focused on providing “care” 24x7x365, and this care can be extremely time sensitive. For example, timing out log-ins may be a good security practice, but can delay a practitioner’s access to critical information.
Task Force Recommendations
The Task Force’s job was not simple, but they were able to distill their recommendations into the six “imperatives” (obviously abbreviated) below.
Imperative 1: Define and streamline leadership, governance, and expectations for health care industry cybersecurity.
As in industry, security initiatives require top-down support. In this case, the recommendation is for HHS to create a cybersecurity leader role. This role provides sufficient authority to that leader to work with and direct other agencies, and serve as a point person to “harmonize existing and future laws and regulations that affect health care industry cybersecurity.” Further, they set a goal of creating a cybersecurity framework for use across all healthcare verticals.
Imperative 2: Increase the security and resilience of medical devices and health IT.
This imperative addresses device and application security, in particular dealing with vulnerabilities in device software. In addition to recommendations for more rigorous software development life cycles (SDLCs), it recognizes the increased use of third-party software — in particular open source software — and the requirement for visibility to vulnerabilities.
This effort starts, obviously, with visibility to the components used. Imperative 2 requires transparency from manufacturers and developers in the form of a “'bill of materials' that describes its components (e.g., equipment, software, open source, materials), as well as any known risks associated with those components to enable health care delivery organizations to more quickly determine if they are impacted.”
Imperative 3: Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
Again, like other industries, security awareness is recognized as beneficial to all. This imperative extends Imperative 1 to recommend similar top-down leadership for internal security efforts. Recognizing the staffing limitations in smaller organizations, it also recommends that the industry support the creation of managed security service providers (MSSPs) .
Imperative 4: Increase health care industry readiness through improved cybersecurity awareness and education.
This includes education within organizations, from Board-level roles down. It also includes consumer education, to help protect personal health information and recognize illegitimate attempts to access information (e.g., phishing attacks).
Imperative 5: Identify mechanisms to protect R&D efforts and intellectual property from attacks or exposure.
The United States is a market leader in healthcare technology. Protecting that IP from counterfeiting and theft should increase patient safety and encourage further investment.
Imperative 6: Improve information sharing of industry threats, risks, and mitigations.
The financial services industry, through FS-ISAC, has been successful in improving industry-wide security through information sharing. A similar effort in healthcare would help everyone involved.
Healthcare is a Target
The recent WannaCry ransomware attacks proved that hospitals are vulnerable. The fact that these attacks could have been prevented by patching for known vulnerabilities in Microsoft products drives home the need to have visibility to vulnerabilities, and plans to update vulnerable applications and components.
To further emphasize the need, we recently saw a report detailing thousands of vulnerabilities in implantable pacemakers. Billy Rios, one of the researchers in the study, previously disclosed major vulnerabilities in drug infusion pumps.
The timing of the Task Force’s report is good. We now hope to see the government and industry embrace the recommendations.