After the WannaCry cyberattack hit healthcare providers and other organizations worldwide, the federal Health Care Industry Cybersecurity Task Force released a report that offers recommendations for action to be taken by the healthcare industry, Congress, HHS, and other groups.
The following are some of the recommendations:
- Recommendation 1.2: Establish a consistent, consensus-based healthcare-specific Cybersecurity Framework.
In other critical infrastructure sectors, a framework helped establish a consensus-based standard for improving the conversation around cybersecurity, the report notes. “Although NIST has developed a generic framework, healthcare (like other sectors) has many unique aspects such as its diverse resource capabilities, legacy systems that will persist for years, and the burden of the need to have low barriers for sharing of data that is essential for collaborative patient-oriented care,” according to the report. “The framework should build upon the minimum standard of security required by the NIST Cybersecurity Framework and the HIPAA Security Rule to promote a single lexicon for healthcare sector as well as standards, guidelines, and best practices. The complex environment requires certain basic standards that all stakeholders must meet and guidelines that allow flexibility for select issues. Without this framework, any of the countless constituents may pose a risk to the healthcare ecosystem.”
- Recommendation 1.5: Explore potential effects to the Stark Law, the Anti-Kickback Statute, and other fraud and abuse laws to allow large healthcare organizations to share cybersecurity resources and information with their partners.
The task force heard many concerns related to potential constraints imposed by the Stark Law and the Anti-Kickback Statute. “We strongly encourage Congress to evaluate an amendment to these laws specifically for cybersecurity software that would allow healthcare organizations the ability to assist physicians in the acquisition of this technology, through either donation or subsidy. A regulatory exception to the Stark Law and a safe harbor to the Anti-Kickback Statute to protect certain donations of electronic health records (EHRs) effectively addresses management of technology between healthcare entities and serves as a perfect template for an analogous cybersecurity provision,” the report says. “Physician groups confront myriad financial challenges. Often, these financial constraints limit their ability to manage the EHR software without trained security professionals who have the expertise to provide sufficient cybersecurity programs to protect their patient records. We need to empower small providers or suppliers (e.g., physician practices) to actively manage their security posture, not hinder them. Often, organizations want to provide technology to ensure smaller business partners do not become a liability in the supply chain. An exception may provide for this assistance without creating fear of violating the Stark Law or Anti-Kickback Statute.”
- Recommendation 2.4: Require strong authentication to improve identity and access management for healthcare workers, patients, and medical devices/EHRs.
“The delivery of healthcare is founded on the establishment of a trust relationship between and among providers and patients. The foundation of this trust is the belief and confidence in the identities of the individuals involved (providers and patients). Through strong identity and access management practices, this trust relationship should be extended to the medical devices that are used to provide patient care,” the report says. “Clinicians in a hospital setting are required to access multiple computers throughout the facility repeatedly (up to 70 times per shift) as they deliver care to patients. In order to authenticate their identity so that they can perform common tasks (e.g., access a patient’s medical record, order diagnostic tests, prescribe medication, etc.), a clinician typically enters his or her username and a unique password. This widely used, single-factor approach to accessing information is particularly prone to cyberattack as such passwords can be weak, stolen, and are vulnerable to external phishing attacks, malware, and social engineering threats.”