The IT Law Wiki
Register
Advertisement

Citation[]

Health Care Industry Cybersecurity Task Force, Report on Improving Cybersecurity in the Health Care Industry (June 2, 2017) (full-text).

Overview[]

The Cybersecurity Act of 2015 provided a much needed opportunity to convene public and private sector subject matter experts to spend the last year discussing and developing recommendations on the growing challenge of cyber attacks targeting health care. As public and private sector Co-Chairs of the Task Force, we worked diligently to balance industry and government perspectives and to solicit input from outside stakeholders and the general public.

Under the Act, the Task Force was directed to:

(A) analyze how industries, other than the health care industry, have implemented strategies and safeguards for addressing cybersecurity threats within their respective industries;
(B) analyze challenges and barriers private entities (excluding any State, tribal, or local government) in the health care industry face securing themselves against cyber attacks;
(C) review challenges that covered entities and business associates face in securing networked medical devices and other software or systems that connect to an electronic health record;
(D) provide the Secretary with information to disseminate to health care industry stakeholders of all sizes for purposes of improving their preparedness for, and response to, cybersecurity threats affecting the health care industry;
(E) establish a plan for implementing title I of this division, so that the Federal Government and health care industry stakeholders may in real time, share actionable cyber threat indicators and defensive measures; and
(F) report to the appropriate congressional committees on the findings and recommendations of the task force regarding carrying out subparagraphs (A) through (E).

The Task Force developed six imperatives along with associated recommendations and action items. The imperatives are:

1. Define and streamline leadership, governance, and expectations for health care industry cybersecurity.
2. Increase the security and resilience of medical devices and health IT.
3. Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
4. Increase health care industry readiness through improved [cybersecurity awareness]] and education.
5. Identify mechanisms to protect R&D efforts and intellectual property from attacks or exposure.
6. Improve information sharing of industry threats, risks, and mitigations.

All of these reflect the need for a unified effort — among public and private sector organizations of all sizes and across all sub-sectors — to work together to meet an urgent challenge. They also reflect a shared understanding that for the health care industry cybersecurity issues are, at their heart, patient safety issues. As health care becomes increasingly dependent on information technology, our ability to protect our systems will have an ever greater impact on the health of the patients we serve. While much of what we recommend will require hard work, difficult decisions, and commitment of resources, we will be encouraged and unified by our shared values as health care industry professionals and our commitment to providing safe, high quality care.

Advertisement