HHS Cyber Task Force report offers much-needed recommendations [Commentary]

Capture-1.jpg

Photo Credit: kopitinphoto/Getty Images

On June 2, 2017, the Health Care Industry Cybersecurity Task Force under the Department of Health and Human Services released its Report on Improving Cybersecurity in the Health Care Industry, beseeching six Congressional chairmen to consider six imperatives along with cascading recommendations and action items that demonstrate the need for a unified public-private collaboration to increase patient safety and to diminish the constant cybersecurity threat to the healthcare sector from cyber criminals, digital mercenaries, techno-jihadists, nation-state sponsored advanced persistent threats (APTs), and others who target vulnerable critical systems and sensitive treasure troves of patient information with ransomware and other malware.

The report was incited by the Cybersecurity Act of 2015, but its necessity was reinforced by the recent WannaCry global ransomware attack that crippled over 300,000 systems in 150 countries, including those of at least 16 NHS organizations in Britain. The findings of the task force address the hyper-evolving threat landscape surrounding healthcare systems, electronic patient records, and medical device security by increasing information sharing and awareness, by increasing public-private partnerships, and by establishing a cybersecurity leadership position within HHS.

The first imperative delineates and streamlines healthcare cybersecurity leadership, governance and expectations by advocating for the creation of a HHS Health Care Cybersecurity Leader position to coordinate public-private activities and act as a focused source for authoritative clarification, explanation and guidance, by proposing the standardization of the NIST Cybersecurity Framework to normalize risk assessment and definitions to ease information sharing, to expand the governance of information to a multi-stakeholder model that focuses on the people, processes, and policies that generate, use and manage essential healthcare data.

It also calls for a holistic and systematic risk modeling and reduction regulatory process that can be applied to legacy and modernized medical systems and devices used in the diagnosis, monitoring or treatment of patients or that store, transmit or process patient records.

Accordingly, the second imperative addresses foundational challenges to medical devices and systems to enhance the cybersecurity of medical devices, EHRs, legacy applications through the modernization of regulation, a secure-by-design developmental lifecycle, resilient authentication and access controls, and systematic product deployment, management and maintenance methodologies.

Because humans are the weakest link in cybersecurity, the next imperative focuses on the development of a cyber-hygienic and cybersecurity-focused healthcare workforce within large organizations as well as small, rural and under-resourced organizations by optimizing governance, resource management and by identifying and prioritizing critical security duties.

Personnel’s cybersecurity readiness, collaboration and cyber hygiene can be increased through training and education according to the fourth imperative. R&D efforts and intellectual property are protected from nation-state and other threat actors in the fifth imperative by the implementation of authentication and access control mechanisms, industry and academic cybersecurity guidance, and protections of data at rest, in transit, and during processing. The final imperative recommends the establishment of automatic, actionable and flexible real-time cyber threat information sharing tailored to the size and characterization of specific stakeholders, data subjects and healthcare organizations.

Among critical infrastructure, the healthcare sector is the “lowest-hanging fruit” due to a persistent ignorance of cybersecurity and cyber hygiene best practices and a tenacious resistance to change and modernization, resultant from fear, lack of resources and a cultural prioritization of profit and convenience over security.

Overall, the HHS Health Care Industry Cybersecurity Task Force report excels at offering concise, actionable and holistic recommendations to modernize the cybersecurity culture and practices of the healthcare sector to the minimum necessary to combat the dynamic and incessant barrage of threats intent on exploiting sensitive systems, exfiltrating valuable patient data and intellectual property and crippling critical infrastructure systems.

James Scott is a senior fellow and co-founder of the Institute for Critical Infrastructure Technology and the author of more than 30 books, with nine best sellers on the topic of health IT, internet of things, energy sector cybersecurity, nation state cyber espionage and more. He advises to more than 25 congressional offices, caucuses and committees on cyber warfare and cybersecurity, as well as federal agencies such as DoE, NSA, HHS, NASA, NIST and others.