The Department of Health and Human Services (HHS) said “healthcare cybersecurity is in critical condition” in its report to Congress Friday.
Hospitals and health care facilities are a honeypot for hackers and prime targets for ransomware attacks because of the huge amounts of personal information that they collect. While cyber criminals have grown more sophisticated over time, the many government agencies that share responsibility for healthcare have, until now, paid little attention to cybersecurity.
“The [U.S.] federal government takes these threats very seriously,” said Steve Curren, director of the Division of Resilience in the HHS Office of the Assistant Secretary for Preparedness and Response (ASPR) Office of Emergency Management.
The report “emphasizes that healthcare cybersecurity issues are patient safety issues, and calls for a collaborative public and private sector effort to protect our healthcare systems and patients from cyber threats,” he added.
Electronic health records are vulnerable due to a shared, publicly-available application interface, according to the report, and security vulnerabilities pose risks to patient health due to the number of networked medical devices and connected IT networks.
The report labels several threats to the healthcare industry’s cybersecurity: a “severe lack of security talent;” “legacy equipment” due to health organizations using old, unsupported and vulnerable operating systems; “premature/over-connectivity” without secure design and implementation; vulnerabilities that “impact patient care;” and a “known vulnerabilities epidemic” wherein one legacy medical technology had over 1,400 vulnerabilities.
The Task Force listed six high-level imperatives that organizations should adopt: “Define and streamline leadership, governance and expectations for health care industry cybersecurity;” “increase security and resilience of medical devices and health IT;” “develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities;” “increase health care industry readiness through improved cybersecurity awareness and education;” “identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure;” and “improve information sharing of industry threats, risks and mitigations.”
HHS stressed the importance of uniform guidelines enforced throughout the industry and that government and industry stakeholders share cyber threat information.
The report underlines the necessity of a “consistent, consensus-based healthcare cybersecurity framework” that is formulated and implemented throughout the industry, and adds that federal agencies should be required to harmonize laws and regulations affecting healthcare cybersecurity.