The Healthcare Industry Cybersecurity Task Force’s report on healthcare cybersecurity echoes a similar study on medical device security issued by Synopsys and the Ponemon Institute.

On the heels of a damning study by Synopsys and the Ponemon Institute, which provides a blow-by-blow accounting of the many problems with medical device security, a federal task force has finally released its report on the poor state of healthcare cybersecurity and how to fix it. The report, issued by the Health Care Industry Cybersecurity Task Force, was mandated by the Cybersecurity Act of 2015, identifies six “high-level imperatives” to improve healthcare cybersecurity in the U.S.:

1. Define and streamline leadership, governance, and expectations for healthcare cybersecurity.
2. Increase the security and resilience of medical devices and health IT.
3. Develop the workforce capacity necessary to prioritize and ensure healthcare cybersecurity awareness and technical capabilities.
4. Increase healthcare cybersecurity readiness through improved awareness and education.
5. Identify mechanisms to protect R&D efforts and intellectual property from attacks or exposure.
6. Improve information sharing of industry threats, risks, and mitigations.

Medical Devices, Legacy Systems Pressing Issues for Healthcare Cybersecurity

The federal task force’s findings on medical device security echoed those of the Ponemon/Synopsys report, meaning that it is largely nonexistent: There are no standards, no testing procedures, and no accountability. The task force urges medical device manufacturers to improve manufacturing and development transparency; bake cybersecurity into the software development lifecycle when developing medical devices and EHRs (including issuing security patches throughout the product’s lifecycle); and collaborate with healthcare organizations to establish standards for device-device authentication.

Legacy systems also pose grave risks to healthcare cybersecurity. This was illustrated by the recent WannaCry ransomware attacks, which targeted machines using older versions of Windows and hit the U.K.’s National Health Service particularly hard, forcing facilities to cancel procedures and divert emergency patients. Among other proactive security measures, the task force instructs healthcare organizations to 1) inventory their data environments and document unsupported operating systems, devices, and EHR systems; 2) when possible, replace or upgrade systems with supported alternatives that have superior security controls; 3) in cases where equipment cannot be replaced, develop and document retirement timelines; and 4) leverage segmentation, isolation, hardening, and other compensating risk reduction strategies for the remainder of each piece of equipment’s lifecycle.

A Point Person and a Set of Standards Are Needed

Modern healthcare organizations operate in a complex data environment that involves not only the protection of patient records but also payment card data, tax data, and a multitude of devices used both to store information and treat patients. Meanwhile, healthcare organizations are subject to multiple security standards and frameworks, many of which contradict each other. Worse yet, in some areas, such as smart medical devices, there are no standards.

To address these issues, the task force recommends appointing a single person within the Department of Health and Human Services (HHS) to coordinate healthcare cybersecurity initiatives and liaise with other cybersecurity centers within the government, as well as a cybersecurity rapid response team whose job would be to respond to vulnerabilities in medical devices.

Further, the task force recommends utilizing the National Institute of Standards and Technology (NIST) Cybersecurity Framework to standardize risk assessment and definitions industry-wide. That said, the task force recognizes that the NIST framework is generic, and not all sections can be directly mapped to a healthcare environment; therefore, the task force recommends that NIST work with HHS to develop an application of the framework specific to healthcare cybersecurity environments.

The key takeaway from the taskforce report is that proactive cybersecurity, with risk assessments, testing, and robust compliance standards, will win the day.

The cybersecurity experts at Continuum GRC have deep knowledge of the cybersecurity field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cybersecurity programs.

Continuum GRC is proactive cybersecurity®. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance with all applicable laws, frameworks, and standards.

[bpscheduler_booking_form]