Established by the Cyber security Act of 2015, the Health Care Industry Cyber security (HCIC) Task Force recently released its recommendations for the industry. It is a thorough, 96-page report to Congress on the topic, but what does it mean for healthcare providers?
National Institute of Standards and Technology (NIST), a federal agency within the U.S. Department of Commerce, developed voluntary guidance that helps manage and reduce cybersecurity risk. Using the framework helps organizations prioritize the activities and investments that are most critical to them. It also provides a common language for better communications among internal and external stakeholders.
2) Secure legacy systems
The healthcare sector employs a wide range of IT, such as electronic health records (EHRs) and medical devices. Due to this wide variety of health IT, it is important to ensure that systems stay up-to-date with the latest security patches.
You should take inventory of your IT assets and address unsupported operating systems, devices and EHRs. Make sure your software partners have a secure development lifecycle, which recognizes cybersecurity at every step from concept to end-of-life.
3) Check developer certifications
In addition to securing your systems, you should ensure your vendors hold current security certifications. For example, Allscripts is ISO 27001 and SOC 2 certified, meaning independent auditors have confirmed that we comply with specified security standards. Certifications such as these establish that a vendor has enacted a suite of recognized security controls and show that the vendor takes security seriously. Vendors should be transparent about these certifications, and you should not hesitate to ask if they have them.
4) Strengthen passwords and authentications
The task force recognizes that strong identity and access management practices are fundamental to the trust between providers and patients. However, clinicians often must sign into systems dozens of times each day using passwords (single-factor authentication) that are vulnerable to attacks. Accordingly, organizations should consider two-factor authentication processes to limit the risk of compromised passwords.
5) Conduct readiness exercises
While studies show that 70% of firms have a cyberattack response plan in place, less than 15% review or test these plans annually. Organizations should practice their response using regional, national and global attack scenarios. Allscripts conducts readiness exercises regularly to help keep our plans current and ready to defend against evolving threats and encourages other organizations to consider a similar approach.
6) Encourage investment in federal cyber security leadership
The task force points out the need to define and streamline cybersecurity governance and leadership. Unfortunately, the new federal administration’s proposed budget severely reduces funds for the Office of the National Coordinator for Health Information Technology (ONC). A lack of resources for these offices reduces cybersecurity leadership and guidance at a time when investments should be increasing.
Healthcare IT is a complex environment, and there will always be emerging threats. Though more cyberattacks are sure to come, the industry is improving its efforts to protect patient data.