On June 2, 2017, the Health Care Industry Cybersecurity Task Force published its Report on Improving Cybersecurity in the Health Care Industry. The lengthy and comprehensive Report serves as a wake-up call to the medical field, taking seriously the threat of cyber-attacks targeting health care providers, the dangers created by increasing digital interconnectivity in the medical field, and the industry’s shortcomings in its ability to handle the cyber-related challenges it presently faces. The House Energy and Commerce Subcommittee on Oversight and Investigations held a hearing on June 8 on the report and HHS’ greater role in cybersecurity efforts.
The Task Force was established by Congress as part of the Cybersecurity Act of 2015 and created to address cybersecurity issues facing the healthcare industry following an increase in identity theft, ransomware, and hacking. Healthcare leaders across the public and private sector worked closely together and with the general public over the course of a year, and this Report reflects their findings. It acknowledges that despite significant cybersecurity risks facing and created by the health care industry’s recent and ongoing transition to wholesale use of interconnected medical devices, most healthcare providers fail to take accountability for the security risks they help create. The Report calls upon healthcare organizations to take responsibility for securing themselves and the data they collect, and identifies six key imperatives for providers to follow in preparing to meet what the Report deems “an urgent challenge.” These imperatives are:
- Define and streamline leadership, governance, and expectations for health care industry cybersecurity.
- Increase the security and resilience of medical devices and health IT.
- Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
- Increase health care industry readiness through improved cybersecurity awareness and education.
- Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure.
- Improve information sharing of industry threats, weakness, and mitigations.
The Report highlights the danger of patient information falling into the wrong hands, noting that healthcare data can be misused for fraud, identity theft, supply-chain disruptions, theft and sale of propriety information, stock manipulation, and disruption of patient care. It focuses on the nature of the healthcare industry itself, a “large, diverse, and open” conglomerate subject to “a matrix of well-intentioned federal and state laws and regulations that can impede addressing issues across jurisdictions”; and emphasizes the industry’s unique, sharing culture, whereby healthcare professionals prioritize the speedy, seamless treatment of patients at the risk of opening themselves up to increased cybersecurity risks.
As discussed in our May 13, 2017 Alert on Ransomware, proactive is often easier and less costly than a reactive approach. Cyber risks continue to present a fast evolving landscape, especially in the healthcare area. Prevention is key to mitigation in this area and a better option than facing a breach unprepared. A health care entity that knows those risks and controls the data that flows within and outside its walls will be better equipped to protect sensitive data and mitigate possible security incidents.
If you are concerned that your business needs help combatting cybersecurity threats or responding to a security incident, the Sedgwick Cybersecurity team can assist you. Contact us at SedgwickResponder@sedgwicklaw.com, or contact Kimberly Cook (305.671.2159) or firstname.lastname@example.org or Alexandra Block (305.671.2167) or email@example.com.