Final Cybersecurity Report Released by HHS
June 12th, 2017
The Health Care Industry Cybersecurity (HCIC) Task Force released its Report on Improving Cybersecurity in the Health Care Industry. The HCIC, which was established through the Cybersecurity Act of 2015, identified the following six key imperatives for increasing healthcare cybersecurity:
- Define and streamline leadership, governance, and expectations for healthcare industry cybersecurity. This includes calling for a single person within HHS to coordinate cybersecurity efforts, and for federal agencies to coordinate existing and future laws and regulations that affect the healthcare industry.
- Increase the security and resilience of medical devices and health IT. This includes working with stakeholders to make both legacy systems and new platforms more impervious to cyberattacks. It also calls for an emergency readiness team that would help respond to attacks across the industry.
- Develop the healthcare workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities. Included here is the identification and training of individuals at every level of the cybersecurity chain that would be responsible for implementation of security devices.
- Increase healthcare industry readiness through improved cybersecurity awareness and education. This includes the development and implementation of executive training programs and further development of a risk assessment tool for healthcare providers, similar to the one currently used for HIPAA risk assessment.
- Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure. This would include safeguarding the massive intellectual and financial investments made in the research and development of medical devices and drugs. This includes intellectual property and trade secret theft.
- Improve information sharing of industry threats, risks and mitigation. This includes broadening and tailoring the scope and depth of information sharing among stakeholders, especially small- and medium-sized companies that do not have full-time cybersecurity staff.