A federal task force released its long-awaited cybersecurity recommendations report Friday evening.
The far-reaching report from the Health Care Industry Cybersecurity Task Force was mandated by the Cybersecurity Act of 2015.
The task force convened 21 wide-ranging stakeholders in medical cybersecurity, ranging from device manufacturers to hospitals to consumer advocates.
Workforce issues are the “most foundational problem” for much of the sector, said Josh Corman, co-founder of the device cybersecurity advocacy group I Am The Cavalry and member of the task force. While all industries are bracing for a cybersecurity talent crunch, healthcare faces a few unique problems.
“It’s not just that small- and medium-sized businesses lack funding to incentivize talent. It’s not just the growing lack of talent or encouraging people to go to rural locations. It’s all of them,” Corman said.
Though the Health Insurance Portability and Accountability Act (HIPAA) requires healthcare offices to designate an employee in charge of information privacy, many have no training in cybersecurity. Some offices only employ staff in the single digits, meaning an investment in a new full-time worker to handle information security would be an untenable investment.
The challenge, said Corman, is to scale existing talent while working toward more complete security staffing.
One of the report’s more counterintuitive suggestions targets scaling this kind of talent by amending anti-kick back laws that could prevent a larger healthcare provider from sharing security software or resources with smaller offices.
Other models for scaling resources include pooling multiple office resources into hiring a multi-organization chief information security officer.
Workforce is such a foundational problem because many of the common-sense solutions that the panel suggest cannot take flight without a trained person to lead them. The recommendations include things like security assessments using National Institute of Standards and Technology (NIST) guidelines that would be beyond the reach of untrained personnel.
Though the recommendations suggest these assessments be done using the NIST Cybersecurity Framework — a cybersecurity strategy guide intended to be flexible enough to cover any organization — the task force also suggests that NIST create a healthcare-focused guide.
“The advice in the Cybersecurity Framework is overwhelmingly focused on financially motivated actors taking or ransoming private data,” said Corman, “while healthcare has a different set of problems.”
Denial of service attacks — attacks aimed at rendering systems unusable — are a bigger problem for a hospital than for most businesses.
“An availability attack on hospital equipment could be fatal,” said Corman.
The report also takes aim at the government’s widely distributed system of regulating privacy and cybersecurity, with no single point of contact in charge of cybersecurity in the sector.
A variety of agencies ranging from Health and Human Services and the Federal Trade Commission to the Occupational Health and Safety Administration and Securities and Exchange Commission all regulate different aspects of healthcare.
Having a single official to centralize efforts could simplify the process for businesses.
The Task Force recommends that healthcare providers take on the seemingly herculean task of modernizing systems. Though up-to-date equipment is critical to preventing cyberattacks, healthcare creates unique impediments for updating systems.
The lifecycle of medical equipment can be as many as two decades long — meaning that 10- to 20-year-old systems would have to be compatible with any upgrade to systems. That is not always possible, meaning that upgrading any one component of a health provider’s arsenal might also require upgrading another.
Corman says there are a variety of funding methods the government or even the private sector could look at, including a “cash-for-clunkers” trade-in program.
“The truth is, a number of solutions may be required,” said Corman.
The Task Force also makes recommendations concerning how internet-connected medical devices, including personal devices like pacemakers and insulin pumps, are sold.
Nearly all commercially available software and hardware make use of prewritten software modules or operating systems. Over time, security vulnerabilities grow in those prewritten software products. While the original programmers usually release updates correcting those flaws, that does not mean the products utilizing that software implements those updates.
One solution, writes the Task Force, is to ship all devices with a software bill of materials — a manifest of which versions of what software is incorporated with a product. It would insure that users would at least be aware of what modules to know to update and allow them to seek out workarounds for problems when updates are not available.
Federal task force: Here’s how to fix healthcare cybersecurity