Jun 06 2017

Healthcare Cybersecurity in 'Critical Condition'

A task force report to Congress outlines that many organizations lack the resources to keep up with growing threats.

Continued hacks and insecure connectivity are key public health concerns that put patient privacy and safety at unnecessary risk, say health experts who served on a federally convened task force.

In a report published Friday, the task force, established by Congress as part of the Cybersecurity Act of 2015, concludes that healthcare cybersecurity is in "critical condition." Many organizations lack the infrastructure to pinpoint, track and analyze threats, the task force says, and thus don’t know when or if they’ve been attacked. They also often lack the financial resources to take appropriate action or even retain qualified in-house information security support staff.

What’s more, clunky legacy systems vulnerable to cyberthreats bog down a large number of facilities, according to the report. The task force also calls over-connectivity an issue, saying that Meaningful Use requirements drove providers to adopt federally certified electronic health record systems without secure design and implementation.

“The Meaningful Use program combined with the Merit-Based Incentive Payment System will continue to push providers to use EHRs and other technologies to exchange patient information electronically,” the task force says. “In addition, alternate payment models of care which rely heavily on the use of health IT combined with the increased capacity of medical devices to store a growing amount of [protected health information], means more patient data is at risk for cybersecurity attacks.”

A Culture Change Needed for Providers

Another issue: Many providers and other healthcare workers also assume their level of cybersecurity vulnerability is low, according to the report. Information security often is seen as a challenge for the IT department, as opposed to one that impacts an organization more holistically, it notes.

“A lack of understanding of the risks cyberthreats pose, and limited education and awareness programs for health care professionals increases the impacts that cyber threats could have on the sector,” the task force says.

To that end, it says shifting industry thinking to prioritize cybersecurity requires both a change in culture and more support and guidance from organizational leaders.

A Tall Task Ahead to Meet Security Expectations 

The task force makes more than 100 recommendations, overall. Task force member Josh Corman, director of the Cyber Statecraft Initiative at the Atlantic Council’s Brent Scowcroft Center, tells Politico that cybersecurity issues in healthcare are so vast that the recommendations may be impossible to meet.

“One thing that stands out for me is how tough this problem is,” he says.

Still, Russell Branzell, president and CEO for the College of Healthcare Information Management Executives, says the report is notable in that it “marks an important milestone in the recognition of the importance of strengthening the cybersecurity posture of the healthcare industry.”

One effort that could help: The Department of Health and Human Services plans to launch a cybercommand center by the end of the month. The Health Cybersecurity and Communications Integration Center will share cybersecurity threat information specific to the healthcare industry with other agencies and the private sector. In sharing information with medical professionals, the HCCIC will attempt to explain the impact of cyberthreats as they pertain to business.