HHS Report Urges Health Care Industry to Address Cybersecurity Risks
In early June 2017, the U.S. Department of Health and Human Services (HHS) Health Care Industry Cybersecurity (HCIC) Task Force released a “Report on Improving Cybersecurity in the Health Care Industry” (the Report). The Report provides six primary recommendations for government and health care organizations to “help increase security across the health care industry.” The Report describes the health care industry’s cybersecurity issues as “patient safety” issues and emphasizes that all health care delivery organizations have a greater responsibility to secure their systems, medical devices, and patient data. The Report is particularly timely in the wake of the ransomware attack in May that crippled hospitals and health systems in the United Kingdom, and other businesses and industries across the globe. Cybersecurity planning is important for all industries, including participants in the health care delivery system – providers, payors, pharmaceutical companies, medical device manufacturers, and vendors.
The Report describes various factors contributing to how health care cybersecurity has become “a key public health concern that needs immediate and aggressive attention.” Among the factors included are the need to access patient information and share data quickly, the increasing volume of connected medical devices, and the digitalization of patient data in electronic health record systems (EHRs). Health care’s mission of helping patients -- as many patients as quickly as possible – in order to avoid bad clinical outcomes presents privacy and security challenges that are unique to this industry.
The Report’s six recommendations, with key corresponding action items for the health care industry to increase security, are below (Appendix A to the report, which sets forth all recommendations and action items, is available here).
1. Define and streamline leadership, governance and expectations for health care industry cybersecurity.
- HHS should create a cybersecurity leader position to coordinate health care cybersecurity activities within HHS, establish a health care-specific Cybersecurity Framework, and require federal regulatory agencies to harmonize existing and future health care cybersecurity laws.
- Congress should explore potential impacts to federal fraud and abuse laws (i.e., the Stark Law and Anti-Kickback Statute), if sharing of cybersecurity resources is permitted.
2. Increase the security and resilience of medical devices and health information technology (IT).
- Health care delivery organizations should secure legacy systems, require strong authentication, and employ approaches to reduce the areas where vulnerabilities can be exploited by a hacker (known as the “attack surface”) for medical devices and EHRs.
- Federal agencies should establish a team (MedCERT) to coordinate medical device-specific cybersecurity.
3. Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
- Every organization should identify cybersecurity leadership, and the industry should establish a model for hiring.
- The federal government should create managed security services provider (MSSP) models to support small and medium-sized providers, and these providers should evaluate options to migrate patient records and legacy systems to secure environments.
4. Increase health care industry readiness through improved cybersecurity awareness and education.
- The industry should ensure existing and new products/systems risks are managed securely.
- HHS should work with the National Institute of Standards and Technology (NIST), implement an education campaign, and provide patients with information on how to manage their health care data.
5. Identify mechanisms to protect R&D efforts and intellectual property from attacks or exposure.
- The federal government should develop guidance on how to create an economic impact analysis describing cybersecurity risk.
- Entities that manage big data solutions should pursue research into protecting health care big data sets.
6. Improve information sharing of industry threats, risks, and mitigations.
- HHS and the industry should broaden information sharing, including for small and medium-size health care organizations, and create more effective mechanisms for disseminating and utilizing data.
- Health care delivery organizations should implement cybersecurity incident response plans that are reviewed and tested annually.
The HCIC Task Force was created as part of the Cybersecurity Act of 2015 to “address the challenges the health care industry faces when securing and protecting itself against cybersecurity incidents.” The HCIC Task Force’s directives included: analyze how other industries have implemented cybersecurity strategies and safeguards; analyze cyber challenges to private entities in the health care industry; review challenges in securing networked medical devices and other software or systems that connect to an EHR. According to the HHS, the HCIC Task Force was composed of government and private industry leaders who are innovators in technology and leaders in health care cybersecurity. The HCIC Task Force held public meetings and consulted with other experts over the past year in order to develop the recommendations.
The full Report may be found here: Report on Improving Cybersecurity in the Health Care Industry.
With the increasing use and reliance upon electronic data, and the sophistication of hackers, it is imperative that businesses across the health care delivery system take steps to secure health care data, including confirming the compliance and efficacy of HIPAA Security Rule programs.
Saul Ewing attorneys counsel health care industry clients about cybersecurity matters, including HIPAA Security Rule compliance. For more information about the Report or this Alert, please contact the authors or the attorney at the firm with whom you are regularly in contact.