The Health Care Industry Cybersecurity Task Force recently submitted to Congress its Report on Improving Cybersecurity in the Health Care Industry, with warnings about the growing challenges of intentional and unintentional cyber incidents with our nation’s health care. The Task Force, a public-private partnership created by the Cybersecurity Act of 2015, stressed that “ow more than ever, all health care delivery organizations … have a greater responsibility to secure their systems, medical devices, and patient data.”
As noted by the Task Force, the United States health care industry is a “mosaic,” including large health systems, single physician practices, public and private research payers, research institutions, medical device developers and software companies, and a diverse patient population. This mosaic creates challenges to uniformity in cybersecurity and barriers to improvements. Further, a “matrix of well-intentioned federal and state laws and regulations” must be understood, implemented and coordinated.
Too often, health care administrators and practitioners assume that their IT networks and devices are functioning without cybersecurity vulnerability and that their IT departments are the only focal points to address cyber concerns. Such passivity can have dangerous and drastic implications, as recent ransomware incidents have demonstrated that health care delivery organizations can be interrupted due to a system compromise.
The Task Force identified the following six high-level imperatives by which to organize its recommendations and action items to improve the health care industry’s cybersecurity:
- Define and streamline leadership, governance and expectations for cybersecurity
- Increase security and resilience of medical devices and health IT
- Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities
- Increase health care industry readiness through improved cybersecurity awareness and education
- Identify mechanisms to protect research and development efforts and intellectual property from attacks and exposure
- Improve information sharing of industry threats, weaknesses and mitigations
Health Care Cybersecurity: Additional Action Items
The recommendations include action items for implementation and identify key players to ensure their success. Most of all, the government and private health care sector must ensure that there are adequate resources and national collaboration in the face of ever-evolving cyber threats, which often specifically target the vulnerabilities of the health care industry due to the immediate impacts that disruptions can cause.
Steven M. Richard is a trial and appellate lawyer at Nixon Peabody. Read more Nixon Peabody blogs here.
