In a report released earlier this year, The Health Care Industry Cybersecurity Task Force has identified six key imperatives and recommendations that doctors, nurse practitioners, physicians’ assistants, and other healthcare professionals should follow to secure and protect their practices from cyber attacks. In this post, we’ve unpacked and summarized the six key imperatives along with some of the Task Force’s recommended actions designed to secure sensitive patient data, protect and inform organizations, and contribute to the protection of healthcare community data at large.
Imperative #1: Define and streamline leadership, governance, and expectations for healthcare industry cyber security.
This imperative refers to the need for one person within the HHS to coordinate cybersecurity efforts and work with other federal entities to develop and streamline cyber security laws and regulations within the healthcare industry.
Another key element of this imperative asks government agencies to create a framework and single set of best practices to which all players in the healthcare sector can refer when addressing cyber security issues on their own.
When thinking about strengthening your own practices’ security, establishing protocols and standards, and delegating one person or agency to own cyber security with your organization is highly recommended.
Imperative #2: Increase the security and resilience of medical devices and health IT.
This imperative is related to device and application security and calls for longer software development life cycles and visibility into third party software.
The key takeaway from this imperative and its recommendations is the need for full visibility into all software and device applications used throughout the office. This can range from front office software to mobile device applications.
To enhance the security of your devices and applications, it is a good idea to maintain a comprehensive “bill of materials” detailing all hardware and software used throughout your office, along with known vulnerabilities and potential threats. While this may seem like a daunting task, at least taking stock periodically of applications used can come in handy in the event of a security breach.
Imperative #3: Develop the health care workforce capacity necessary to prioritize and ensure cyber security awareness and technical capabilities.
In many ways, Imperative #3 echoes the subject matter addressed in Imperative #1 (wherein cyber security infrastructure should be developed and maintained). This imperative, however, speaks to the development of security infrastructure on a smaller scale.
In other words, create the necessary protocols for cyber security in your own organization and staff accordingly. This imperative also suggests looking into managed security service providers (MSSPs) as a viable option to mitigating potential threats where staffing options are limited.
Imperative#4: Increase health care industry readiness through improved cyber security awareness and education.
Imperative #4 stresses the importance of continuing education
among your organization and recommends the development of educational programs from board-level executives, to the general staff. The report also emphasizes the need for a holistic strategy amongst participants in the healthcare community and suggests that without this kind of approach, organizations are weakened and the healthcare industry and patients are subject to higher risk.
For smaller organizations who might struggle with prioritizing the development of comprehensive security educational programs, a number of third-party agencies exist to assist in this regard and should be considered.
Imperative #5: Identify mechanisms to protect R&D efforts and intellectual property from attacks or exposure.
While this imperative may not be as relevant to smaller organizations and primary care facilities, it is still important for healthcare professionals of all levels to maintain a peripheral awareness of pertinent risks and best practices when dealing in data sharing of R&D or intellectual property assets.
When talking about large-scale R&D and Big Data breaches, it’s also important for those involved in the healthcare industry to understand how such events may impact their organization and the broader healthcare community.
Imperative #6: Improve information sharing of industry threats, risks, and mitigations.
This imperative addresses the responsibility of healthcare professionals to protect their community by sharing information, particularly between the federal government and the private sector, during times of increased security risk or in the event of a breach or attack. By strengthening connectivity among disciplines and departments, threats and attacks may be subverted more quickly and handled with minimal impact.
The report goes on to recognize those mid-size and smaller organizations with limitations by which information may be shared in an easily digestible way, or those lacking the resources to develop such systems and again suggests the employment of MSSPs to help bridge the gap.
The Healthcare Industry is at Risk
The Health Care Industry Cybersecurity Task Force’s report is an invaluable resource for healthcare professionals, and its guidelines and recommendations should be taken seriously. As we’ve seen in the recent ransomware attacks on hospitals, cyber security is a real and growing threat and all precautions should be taken to protect your practice and aid in the protection of the larger healthcare community.