In a recent report, the U.S. Department of Health and Human Services has flagged the country’s healthcare industry as highly vulnerable to cyber-attacks and ransomware.
The DHHS’ Health Care Industry Cybersecurity Task Force has revealed that healthcare cybersecurity is in critical condition and requires a complete overhaul.
The task force’s report has revealed damning details on the healthcare industry’s cyber-security standards and how well the industry is prepared to safeguard private information from hackers. “What we consistently encountered was a strategic pitfall in cybersecurity environment. Healthcare cybersecurity is in critical condition,” said Josh Corman, a member of the task force and Atlantic Council Director of the Cyber Statecraft Initiative.
“Given the interconnectivity and diversity within the sector, the interdependency of subsectors on one another, and the disparity between organizations’ ability to address cybersecurity issues, healthcare as a whole will only be as secure as the weakest link,” the task force noted.
The report revealed a lack of designated cyber-security officials in most hospitals and also that smaller hospitals did not invest in cyber-security as they believed only larger institutions were targeted by hackers. The task force termed this as a flawed concept since hackers didn’t discriminate between hospitals ‘due to the value and sensitivity of healthcare data.’
The task force has recommended that the Health and Human Services Secretary must publish standards and guidance consistent with the NIST Cybersecurity Framework, must establish a Task Force to explore options to incentivize risk-based cybersecurity, and should make recommendations to Congress about required statutory changes.
At the same time, the task force has called upon the healthcare industry to inventory their clinical environments and document unsupported operating systems, devices, and electronic health record (EHR) systems, replace or upgrade systems with supported alternatives that have superior security controls where possible, develop
and document retirement timelines where devices cannot yet be replaced, and leverage segmentation, isolation, hardening, and other compensating risk reduction strategies for the remainder of their use.
Last year, the US Food and Drug Administration issued draft guidance for medical device manufacturers to address cyber security risks last year. The guidance recommended manufacturers to monitor, identify and address cyber security vulnerabilities in medical devices and understand the importance of information sharing via participation in an Information Sharing Analysis Organization (ISAO).
“All medical devices that use software and are connected to hospital and health care organizations’ networks have vulnerabilities—some we can proactively protect against, while others require vigilant monitoring and timely remediation,” said Suzanne Schwartz, associate director of the FDA’s Centre for Devices and Radiological Health.
Despite the FDA’s warnings, medical device manufacturers were literally caught napping following the WannaCry ransomware attacks in May. Following the ransomware attack, several medical devices developed by the likes of Bayer and Siemens were found to be affected.