HHS task force spells out ‘urgent challenge’ of cybersecurity in healthcare

Classifying cybersecurity as a patient safety concern, a long-awaited report by a federal task force identified some of the key cybersecurity vulnerabilities in healthcare and stressed the importance of collaboration between all stakeholders to close those gaps.

Over the past year, 21 members of the Department of Health and Human Services’ (HHS) Cybersecurity Task Force discussed some of the key vulnerabilities facing the industry. On Friday, the group released (PDF) a report that many had been anticipating for the last month, particularly in the wake of the WannaCry ransom attack that impacted dozens of NHS hospital and left others concerned that subsequent attacks could have an even bigger impact on patient care

RELATED: After WannaCry, experts worry healthcare’s vulnerabilities will make the next ransomware attack even worse

The report called for a “unified effort” among both public and private entities spanning a wide range of sectors, including payers, providers, medical device manufacturers, research institutions and software developers.

Two of the most pressing issues identified by the task force were a lack of resources available to the provider community to adequately address emerging threats and a “severe” workforce shortage. Both issues have a greater impact on small and medium-sized providers that don’t have designated chief information security officers and are forced to balance cybersecurity investments with patient care needs.

“Today, much of healthcare is delivered by smaller practices and rural hospitals that may not have the resources to protect against these threats,” Steve Curren, director of the division of resilience in the Assistant Secretary for Preparedness and Response at the Office of Emergency Management wrote in a blog post. "Unfortunately, these organizations often do not possess the infrastructure to identify and track threats, lack the technical capacity to analyze the threat data they receive in order to quickly translate it into actionable information, and lack the capability to act on that information.”

RELATED: Healthcare data breaches are 'significantly underreported' as information sharing challenges persist

The report recommended setting acceptable industry standards for the ratio of dedicated cybersecurity staff based on the size of an organization, similar to California’s law requiring a minimum nurse-to-patient ratio. 

Medical device insecurity was also a major concern identified in the report. While providers need to improve management and patching for legacy systems, the task force called on manufacturers to be more transparent about their ability to patch and update systems and address security throughout the each device’s lifecycle.

The report had recommendations for the federal government as well, including creating a cybersecurity leadership role within HHS that could oversee industrywide efforts. The task force also called on HHS to provide more guidance on applying the National Institute of Standards and Technology’s framework to the healthcare industry and consider incentives that would allow providers to phase out old, vulnerable legacy systems.

RELATED: Should hospitals pay up following a ransomware attack? The answer is far from simple

Industry groups welcomed the recommendations that address longstanding concerns among cybersecurity experts.

“The report and the Task Force's thoughtful recommendations come at a critical time, offering solutions to many of the challenges and opportunities our members have previously identified in their efforts to improve their organization's cybersecurity hygiene,” said College of Healthcare Information Management Executives President and CEO Russell Branzell in a statement