Cyber Attack Guidelines for Hospitals and Clinics
Robin Young • Wed, July 12th, 2017
The U.S. Department of Health and Human Services (HHS) Cybersecurity Task Force issued its official report to Congress this month.
The Task Force, which was established by HHS in March 2016, is staffed by information specialists from large and small hospitals, suppliers, insurers and independent IT specialists. Among the members are Kaiser Permanente, Anthem and Stryker Corporation.
Given the incomprehensible plague of hacks and ransomware attacks over the past 36 months, this report could not come soon enough.
The report contained 100 recommendations including a diagnosis and treatment plan for the American healthcare system.
Diagnosis: American healthcare is in critical condition. Indeed, the patient doesn’t fully realize the extent of the problem.
There is, said the Task Force, an over reliance on legacy equipment throughout the system. And, in an effort to meet the ever changing and urgent demands on healthcare today, users are over-connecting via the internet these legacy system. That, say Task Force members, is creating an extreme vulnerability to hacks and cyber ransoms.
Treatment Plan: High-level leadership, public and private sector financial resources, central coordination of efforts, legislative and regulatory changes to permit pooling of resources without fraud and abuse (anti-kickback) concerns, and more.
The report listed six “imperatives.”
- Define and streamline leadership, governance, and expectations for health care industry cybersecurity.
- Increase the security and resilience of medical devices and health IT.
- Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
- Increase health care industry readiness through improved cybersecurity awareness and education.
- Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure.
- Improve information sharing of industry threats, weaknesses, and mitigations.
No Quick Fix
Given healthcare’s cultural, financial and technical quirks, the Task Force mentioned the need to create a healthcare-specific version of the National Institute of Standards and Technology (NIST) cybersecurity framework. (The current framework is recognized under the HIPAA Security Rule as a key standard; recognition of a new framework would not necessarily require amendments to the Security Rule.)
Depressingly, the task force said that cyberattacks will continue. Given that, the Task Force suggested that hospitals and others adopt the following cyber-attack checklist:
When attacked execute a response and mitigation procedures and contingency plans. Immediately fix any technical or other problems to stop the incident. Mitigate any impermissible disclosure of protected health information.
Report the crime to law enforcement agencies, which may include state or local law enforcement, the Federal Bureau of Investigation (FBI), and/or the Secret Service. Reports should NOT include protected health information, unless otherwise permitted by the HIPAA Privacy Rule.
Report all cyber threat indicators to federal and information-sharing and analysis organizations (ISAOs), including the Department of Homeland Security, the HHS Assistant Secretary for Preparedness and Response, and private-sector cyber-threat ISAOs.
Report any breach to OCR [Office for Civil Rights] as soon as possible, but no later than 60 days after the discovery of a breach affecting 500 or more individuals, and notify affected individuals and the media unless a law enforcement official has requested a delay in the reporting. OCR presumes all cyber-related security incidents where protected health information was accessed, acquired, used, or disclosed are reportable breaches. An entity that discovers a breach affecting fewer than 500 individuals has an obligation to notify the affected individuals.
Instead of artificial intelligence, what the American healthcare system needs is some human leadership.