The healthcare industry’s cybersecurity issues represent an urgent challenge that both public and private sector stakeholders must work together to address, according to the long-awaited “Report on Improving Cybersecurity in the Health Care Industry” from the Department of Health and Human Services’ Health Care Industry Cybersecurity Task Force.
The group gathered healthcare leaders and experts from across the healthcare industry, as well as other infrastructure sectors, to provide information on cybersecurity best practices, trends, threats, and general concerns. The timing of the report’s release is particularly poignant, as some providers are still working to shake off the effects of the WannaCry ransomware attack. As the report’s authors note, “recent ransomware incidents have also highlighted how patient care at health care delivery organizations can be interrupted due to a system compromise.”
Addressing the vulnerabilities currently facing the healthcare industry is of particular importance as “cybersecurity issues are, at their heart, patient safety issues,” according to the report. “As health care becomes increasingly dependent on information technology, our ability to protect our systems will have an ever greater impact on the health of the patients we serve,” the authors wrote.
The report included six imperatives developed by the task force for the industry to undertake in order to ensure the continued provision of safe, high quality care:
- Define and streamline leadership, governance, and expectations for healthcare industry cybersecurity
- Increase the security and resilience of medical devices and health IT
- Develop the healthcare workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities
- Increase healthcare industry readiness through improved cybersecurity awareness and education
- Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure
- Improve information sharing of industry threats, weaknesses, and mitigations
In the report, the task force noted that the healthcare sector experienced more cyber incidents that resulted in data breaches than any other critical infrastructure sector. “The fact that these cyber incidents resulted in breach highlights the lack of organizational awareness and technical expertise in healthcare,” says Kathy Downing, MA, RHIA, CHPS, PMP, senior director of information governance and privacy and security at AHIMA.
The report addressed the rapid implementation and advancement of electronic health records (EHRs), which the authors said resulted in an increased “attack surface” for healthcare providers. This includes not only the EHR used within the organization, but also its endpoints, such as patient portals and medical devices, Downing said.
The HHS report also notes that the push for interoperability has increased patient safety risk due to organizations using minimal standardization or guiding security practices and introducing insecure solutions.
“The health care system cannot deliver effective and safe care without deeper digital connectivity,” the report stated. “If the health care system is connected, but insecure, this connectivity could betray patient safety, subjecting them to unnecessary risk and forcing them to pay unaffordable personal costs. Our nation must find a way to prevent our patients from being forced to choose between connectivity and security.”
The report includes many recommendations that point to improving privacy and security education and awareness within the healthcare industry—a call to action that will be familiar to many health information management professionals. “This is a similar message we have with information governance,” Downing said. Information governance calls for a broader approach to education and awareness within an organization, which Downing said encompasses “all information responsibilities across the organization, not just focused on protected health information and what HIPAA requires.”
The report also took note of the “complicated patchwork of laws” that healthcare organizations must currently contend with—from HIPAA and HITECH to state laws that might be inconsistent with federal laws. The task force recommended that “harmonization of existing and future laws” could help to remove the resource and financial burdens that organizations currently face when trying to be compliant with disparate regulations.
AHIMA will be offering a webinar with security experts to discuss the HHS report in more detail in July. The on-demand webinar will be available at www.ahimastore.org.
The task force was established in March 2016 as part of the Cybersecurity Act of 2015, and its members represented a wide variety of organizations within the industry, including hospitals, insurers, patient advocates, security researchers, pharmaceutical companies, medical device manufacturers, health information technology developers and vendors, and laboratories.
Sarah Sheber (firstname.lastname@example.org) is assistant editor and web editor at Journal of AHIMA.