HealthBlawg

David Harlow's Health Care Law Blog

Cybersecurity Reports and HIPAA Chat Webinar

Join me Thursday May 25, 2017 at 1 p.m. ET for the next edition of HIPAA Chat  (follow the link for free registration). David Finn, Symantec’s Health IT Officer, will be our guest, and we’ll be discussing Symantec’s recently released 2017 Internet Security Threat Report for Healthcare.

Update: Listen to this edition of HIPAA Chat right here:

Ransomware and IoT top the list for 2016 threats. Sadly, exploits that continue to wreak havoc are mostly preventable. Collectively, we need to figure out how to prioritize prevention.

David Finn is on the US HHS Health Care Industry Cybersecurity Task Force which has been looking at these same sorts of issues with a laser focus on the health care sector. The Task Force was charged under CISA to

  • Analyze how other industries have implemented strategies and safeguards to address cybersecurity threats;
  • Analyze challenges and barriers the health care industry encounters when securing itself against cyber-attacks;
  • Review challenges to secure networked medical devices and other software or systems that connect to an electronic health record;
  • Provide the Secretary with information to disseminate to health care industry stakeholders to improve their preparedness for, and response to, cybersecurity threats;
  • Establish a plan to create a single system for the Federal Government to share actionable intelligence regarding cybersecurity threats to the health care industry in near real time for no fee; and
  • Report to Congress on the findings and recommendations of the task force.

While your faithful HealthBlawger would like to be proven wrong here, he does not hold any great hopes for dramatic improvements in understanding or addressing cybersecurity issues as a result of the issuance of a point-in-time report by a task force which is then disbanded. The nature of the threat, or threats, is too dynamic. (See an old post entitled CISA: Big Brother is Watching.)

As of this writing, the task force’s report is not yet public, though we’ve seen posts about leaked copies here and here.

The task force reportedly issues about a hundred “action items,” distributed across six “imperatives”:

  1. Define and streamline leadership, governance, and expectations for health care industry cybersecurity.

  2. Increase the security and resilience of medical devices and health IT.

  3. Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.

  4. Increase health care industry readiness through improved cybersecurity awareness and education.

  5. Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure.

  6. Improve information sharing of industry threats, weaknesses, and mitigations.

It is, of course, hard to argue with these imperatives, or with many of the action items, which reportedly include:

  • Revise anti-kickback laws to allow organizations to share cyber resources
  • Phase out old, insecure technologies like “Cash for Clunkers” did in 2009
  • Through FDA regulation, build better cyber into medical devices
  • Better assure the authenticity of workers, patients, devices and EHRs
  • Think about small- and medium-sized providers who can’t afford technical resources
  • Establish and implement good “cybersecurity hygiene” across health care
  • HHS should develop educational resources
  • Ensure the protection of large data sets

The problem is that we already know what we need to do, but we are collectively not devoting the resources necessary to do a good job of hardening assets that could be targets of cyberattacks, be they in the form of ransomware or otherwise.

The recent WannaCry ransomware episode, which exploited a known vulnerability in Windows, should serve as a wake-up call to the industry, but the likelihood is that it will not.  There was a Windows 7 and and a Windows 10 patch for the vulnerability available before the exploit began. However, many healthcare institutions in the US and abroad use the older Windows XP, even though it is no longer supported by Microsoft. Microsoft made a patch available for Windows XP after the fact — but dozens of National Health Service facilities in the UK running Windows XP were already infected, and were effectively shut down by the ransomware attack (as were a multitude of other uses in over a hundred countries).

Again, we know what we need to do, but given how under-resourced and inefficient the “system” is (let’s not even start down the path of why folks are running XP years after its end-of-life) how is cybersecurity going to be funded at an appropriate level system-wide?

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

you might also like:

  1. Federal Health Care Cybersecurity Task Force Issues Recommendations for Industry

  2. HIPAA Chat With David Harlow

  3. Cybersecurity and Healthcare Panel Discussion with Government and Industry Experts