The Health Care Industry Cybersecurity Task Force, established by the Department of Health and Human Services in March 2016 per the Cybersecurity Act of 2015, recently delivered its findings to Congress. The "Report on Improving Cybersecurity in the Health Care Industry" includes defining steps to help improve cybersecurity practices throughout healthcare industry.

The task force members held four in-person public meetings and several virtual meetings to address the five requirements of the Cybersecurity Act. Specifically, the Act was tasked with:

  • analyzing how companies outside of healthcare have implemented strategies and safeguards for addressing cybersecurity threats within their respective industries
  • analyzing challenges and barriers private entities in the healthcare industry face securing themselves against cyberattacks
  • reviewing challenges that covered entities and business associates face in securing networked medical devices and other software or systems that connect to an electronic health record
  • providing the Secretary of HHS with information to disseminate to healthcare industry stakeholders for purposes of improving their preparedness for, and response to, cybersecurity threats affecting the health care industry
  • establishing a plan for so that the federal government and healthcare industry stakeholders may in real time share actionable cyber threat indicators and defensive measures

The taskforce devised the following six imperatives in an attempt to increase current levels of health IT security:

  • Imperative 1: Define and streamline leadership, governance, and expectations for healthcare industry cybersecurity.
  • Imperative 2: Increase the security and resilience of medical devices and health IT.
  • Imperative 3: Develop the healthcare workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
  • Imperative 4: Increase healthcare industry readiness through improved cybersecurity awareness and education.
  • Imperative 5: Identify mechanisms to protect R&D efforts and intellectual property from attacks or exposure.
  • Imperative 6: Improve information sharing of industry threats, risks and mitigations.

To address risks associated with legacy systems, the task force recommends providers frequently assess and mitigate problems with operating systems and EHRs in accordance with the following four action items:

  • Inventory their clinical environments and document unsupported operating systems, devices, and EHR systems.
  • Replace or upgrade systems with supported alternatives that have superior security controls where possible.
  • Develop and document retirement timelines where devices cannot yet be replaced.
  • Leverage segmentation, isolation, hardening, and other compensating risk reduction strategies for the remainder of their use.

Over the course of the year, the task force invited various healthcare industry leaders and experts from other critical infrastructure sectors to provide information regarding cybersecurity best practices, trends, threats and general concerns with the members. The task force posted several blogs that encouraged the public to provide information, thoughts and ideas that could be used to inform their deliberations and address the Act requirements.

The task force members represented a variety of organizations within the healthcare and public health sector, including hospitals, insurers, patient advocates, security researchers, pharmaceutical companies, medical device manufacturers, health information technology developers and vendors, and laboratories.

Now that the report has been delivered, the task force has officially disbanded.