This week, the Department of Health and Human Services (HHS) issued its “Report on Improving Cybersecurity in the Health Care Industry,” which is the culmination of a year-long effort on behalf of the Cybersecurity Task Force, made up of industry professionals from the public and private sectors to identify and develop recommendations “on the growing challenge of cyber-attacks targeting health care.”

The Report outlines six imperatives, which include recommendations and action items. At the heart of the Report is the pronouncement that an insecure digital health care system is a patient safety issue and health care entities have the responsibility to secure their systems, medical devices and patient information.

The Report acknowledges that health care organizations have resource constraints and this lack of resources has a direct impact on organizations’ ability to hire and keep in-house IT personnel, develop robust security measures, infrastructure and tools, an engaged leadership and board, and a general dismissal of the risk.

The six imperatives set forth by the Task Force are:

  1. Define and streamline leadership, governance, and expectations for health care industry cybersecurity.
  2. Increase the security and resilience of medical devices and health IT.
  3. Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
  4. Increase health care industry readiness through improved cybersecurity awareness and education.
  5. Identify mechanisms to protect R&D efforts and intellectual property from attacks or exposure.
  6. Improve information sharing of industry threats, risks, and mitigations.

A set of recommendation and action items for each imperative is included in Appendix A of the report. Some of the recommendations are quite specific and creative, such as developing incentive programs “to phase-out legacy and insecure health care technologies (e.g., incentive models like Cash for Clunkers, Montreal Protocol, and Federal IT Modernization Fund).

The Report is well done and worth a review. We will see how it is received by HHS and if any of the recommendations can be implemented by the new administration.

This post is also being shared on our Data Privacy +Security Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.