HHS: Healthcare Cybersecurity In ‘Critical’ Condition
By Grant Huang, CPC, CPMA, Director of Content at DoctorsMangement
The nation’s healthcare provider organizations are at greater risk of cybersecurity breaches than any other type of organization, according to a highly-anticipated HHS report on the state of cybersecurity across the industry.
Entitled “Report on Improving Cybersecurity in the Health Care Industry,” the 96-page document paints an alarming picture of practices and hospitals with lax cybersecurity protocols being actively targeted by criminal hackers and even foreign nation states.
“Real cases of identity theft, ransomware, and targeted nation-state hacking prove that our health care data is vulnerable,” the report, authored by a special cybersecurity task force within HHS, states. Patient data is a prize for such attackers, who use it for “nefarious purposes such as fraud, identity theft, supply chain disruptions, the theft of research and development, and stock manipulation,” the report states.
Report offers 6 ‘imperatives’
The HHS task force outlines six key imperatives as a result of its findings, and while many involve consolidating various state and federal initiatives to improve cybersecurity, some were highly specific and spoke to measures needed at the level of individual practices and organizations. The imperatives are:
- Define and streamline leadership, governance, and expectations for health care industry cybersecurity. This step includes a suggestion to amend Stark law to allow physicians to receive financial assistance from healthcare organizations to pay for cybersecurity software.
- Increase the security and resilience of medical devices and health IT. This step includes a recommendation to “secure legacy systems,” including old operating systems or EHR/practice management software that is no longer supported by vendors and is now vulnerable to security exploits.
- Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities. The report recommends “identifying people and tools for addressing the small and medium-sized health care organizations which cannot typically afford full-time technical resources.” It suggests smaller groups share cybersecurity staff and vendors rather than omit them entirely.
- Increase health care industry readiness through improved cybersecurity awareness and education. This includes a recommendation that healthcare associations include additional education sessions on cybersecurity at conferences and trade shows.
- Identify mechanisms to protect R&D efforts and intellectual property from attacks or exposure.
- Improve information sharing of industry threats, risks, and mitigations.
Look for more detailed guidance on what your practice can do to improve its cybersecurity in a future issue of The Business of Medicine.
— Grant Huang, CPC, CPMA (firstname.lastname@example.org). The author is Director of Content at DoctorsMangement.