Analysis: Are HHS Cybersecurity Recommendations Achievable?Experts Sort Through New Task Force Report
A new Department of Health and Human Services report to Congress containing more than 100 recommendations for how healthcare can better address cybersecurity threats is stirring debate over whether smaller organizations will be able to take the recommended actions.
Among the report's recommendations, for example, are that organizations replace or upgrade outdated systems, carefully review how much data they retain and take a team approach to maintaining medical devices.
"The report writers clearly recognize the big challenges healthcare organizations face," says Kate Borten, president of privacy and security consulting firm The Marblehead Group. "And while the task force and government groups can and should move ahead on big-picture national objectives, the small and midsize organizations will continue to struggle with cybersecurity."
The 88-page HHS report, which was developed over the last year with input from a cyber task force of healthcare, security and technology experts, was called for under the Cybersecurity Information Sharing Act of 2015.
The report examines "how to build a strong private-public partnership to make everyone successful," task force co-chair Emery Csulak, CISO for HHS' Centers for Medicare and Medicaid Services, said during a Friday press briefing discussing the document. "We really looked at how to make the whole sector successful - a key piece of that is making sure that small and medium-sized organizations don't get left behind."
The report "demonstrates the urgency and complexity of the cybersecurity risks facing the healthcare industry and calls for a collaborative public and private sector campaign to protect our systems and patients from cyber threats," HHS says in a statement.
The document contains dozens of recommendations and "action items" falling under six main imperatives:
- Define and streamline leadership, governance and expectations for healthcare industry cybersecurity;
- Increase security and resilience of medical devices and health IT;
- Develop the healthcare workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities;
- Increase healthcare industry readiness through improved cybersecurity awareness and education;
- Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure;
- Improve information sharing of industry threats, risks and mitigations.
Smaller Provider Challenges
While some observers praise the report for recognizing issues facing organizations of all sizes, others argue that smaller organizations with stretched resources will struggle to set and implement priorities for implementing the task force's recommendations.
"Even though the task force did not have a much representation from small and rural providers, I was impressed with the numerous references to small and rural providers and the suggestions for helping them," says Tom Walsh, president of the consulting firm tw-Security. "The task force gets it. Folks that reside inside the Washington D.C. beltway often forget that the majority of healthcare in our country is delivered in small or rural settings."
For instance, the report notes: "We recommend that industry create more low-cost, managed security service provider models to support smaller and under-funded entities in order to ensure that they have the same level of robust, state-of-the-art security monitoring, defensive, and reporting capabilities as larger healthcare organizations."
This would allow healthcare organizations to leverage resources and expertise, "such as a shared security official, and will create economies of scale. MSSPs would be better resourced to engage in information sharing activities, such as Information Sharing and Analysis Organizations," the report adds.
The report recommends that the federal government "should evaluate incentive options, such as grants and tax incentives, to encourage more MSSPs to achieve economies of scale to support small and medium-size health care providers."
Getting on Board
But getting smaller providers on board with the report's various recommendations and best practices could prove difficult, Borten says.
"The nation certainly needs more guidance at a 'security-for-dummies' level, more trained personnel and standardized laws and regulations," she says. "But those may not make a big difference for small and midsize provider organizations with thin budgets and competing priorities for... patient-focused outcomes."
Privacy attorney David Holtzman, vice president of compliance at the consultancy CynergisTek, agrees that smaller entities - which make up a large portion of the nation's healthcare system - will likely continue to struggle with the report's recommendations.
"The majority of information systems that create or maintain personally identifiable health information are owned and managed by small organizations whose capability or access to the people or technology to secure information systems is limited by financial constraints or ability to attract well-trained human resources," he says. "At first glance, it is difficult to see how these small organizations can translate the recommendations in the report into tangible progress."
The report notes that the task force recommendations "reflect a shared understanding that for the healthcare industry cybersecurity issues are, at their heart, patient safety issues."
Mac McMillan, president at CynergisTek contends that overall, "the report does a good job of identifying the problems, and offering some useful ideas, but falls short of identifying specific government actions to enable them or where the resources will come from to support them." He says the most critical issues raised are those related to improving the cybersecurity of medical devices and other IT to reduce potential safety risks to patients.
Walsh calls the document "one of the best reports I've ever read from a government task force," and hails it for containing some "novel" ideas. For instance, he cites the report's call for creating a healthcare-specific cybersecurity framework and its proposal for federal regulatory agencies to harmonize laws and regulations that affect healthcare industry cybersecurity.
A recommendation to establish a Medical Computer Emergency Readiness Team - or "MedCERT" - to coordinate response to medical device cybersecurity incidents and vulnerability disclosures is the among the most urgent to implement, Walsh argues.
While not all the recommendations will be easily executed across all segments of the private and public healthcare sector, the report brings into the spotlight critical problems that need to be addressed, Holtzman says.
"The work of the cybersecurity taskforce is made all the more important exactly because we have an urgent problem seeking urgent solutions. The important work of prioritizing the recommendations along with action to implement them is still in front of us."