Earlier this month, the Health Care Industry Cybersecurity Task Force sent to Congress the Report On Improving Cybersecurity in the Health Care Industry. The Report provided a grim assessment that “health care cybersecurity is a key public health concern that needs immediate and aggressive attention.” Consistent with its mandate under the Cybersecurity Act of 2015, the Task Force included in the Report “six high-level imperatives” to address cybersecurity issues in health care with a total of 21 recommendations and 104 suggested action items to implement those recommendations.
The Task Force recognized the “unique culture” of health care providers whose resources are focused on helping as many patients as possible with their patient-care needs. Nevertheless, many organizations remain at high risk to cybersecurity intrusions. The Report acknowledges the challenge providers have to design and implement security that does not unduly interfere with the efficient delivery of seamless health care in a complex health care delivery environment. Problems that contribute to the challenge include reactive (as compared to pro-active) responses, limited financial resources, reliance on outdated legacy systems, insufficient training to overcome the lack of understanding and appreciation of cybersecurity risks, and the push to increase interconnectivity for electronic data exchange. Another aspect of this unique culture is its overall fragmentation where smaller and less technology-sophisticated providers are not on the same page as some of the larger providers, and thus are the weak links in the industry’s efforts to secure health care information.
Some of the observations and recommendations in the Report that caught my eye:
- The “Information Governance” concept that shifts some of the focus from technology to the “people, processes, and policies that generate, use, and manage the data and information required for care.” In other words, security is not just an IT issue and needs to be addressed in operations.
- The Task Force recommends that Congress assess how the anti-kickback statute and Stark law may inhibit larger health care organizations from sharing cybersecurity resources and information, as well as consider adopting modifications or exceptions. Collective and cooperative initiatives to address cybersecurity risks will allow smaller providers to benefit from the resources and protections offered by larger providers.
- Development of a conformity assessment program based upon a standardized set of security requirements. The Task Force reviewed and identified the existing assessment tools and standards and concluded that a more uniform, universally applied security assessment for health care is needed.
- Encourage the establishment, certification, and use of Managed Security Service Providers (MSSPs) that will develop a business and security model that small to mid-size providers can rely upon to manage their security program.
The Task Force included 21 representatives from both the public and private sectors. In the cover letter to Congress, the Task Force co-chairs said that the Report “reflected a shared understanding that for the health care industry cybersecurity issues are, at their heart, patient safety issues.” The recommendations and suggested action items in the Report are worth careful consideration by Congress and stakeholders.
Arent Fox’s Health Care group regularly monitors developments in the cybersecurity and cyber-health industries. If you have any questions about the topic discussed here, please contact Thomas Jeffry in our Los Angeles office, Samuel Cohen in our Washington, DC office, or the Arent Fox professional who regularly manages your matters.