Some segments of the healthcare sector still have data security programs that barely comply with HIPAA, let alone encompass a more mature, robust approach.
An effective approach to security, of course, includes making an effort to keep up with communications about emerging cyber threats and newly discovered vulnerabilities. Options include participating in a cyber information sharing organization, such as the National Health Information Sharing and Analysis Center, or signing up for free cyber vulnerability and threat-related alerts from the Department of Homeland Security.
"Hopefully, there will be a growing level of maturity as information sharing grows."
The latter is one option that's highly recommended by the Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA.
OCR, in its most recent monthly cyber awareness newsletter sent out last week during the HIMSS17 conference in Orlando, reminds the healthcare sector of the urgency to keep up with the latest sharing of cyber threat information available from DHS' U.S. Computer Emergency Readiness Team.
"The nation's healthcare system is part of the national infrastructure that has increasingly come under attack from cyber threats. One of the keys to combatting these cyber threats is for the government, the private sector, and international network defense communities to collaborate and share information," OCR writes in the alert.
"US-CERT also responds to cybersecurity incidents and analyzes data it collects itself and from partners about emerging cyber threats. US-CERT is in a unique position to inform covered entities and business associates about their cybersecurity efforts as well as benefit from information sharing when a covered entity or business associate experiences a cybersecurity incident."
Among recent cyber alerts and related analysis that OCR says is relevant to the healthcare industry is US-CERT's Feb. 10 report, Enhanced Analysis of the Grizzly Steppe Activity.
In addition to signing up for alerts that US-CERT sends out, OCR also encourages organizations to share their cyber-related information with DHS. "Covered entities should report to US-CERT any suspicious activity, including cybersecurity incidents, cyber threat indicators and defensive measures, phishing incidents, malware, and software vulnerabilities," OCR writes.
Coming Soon: Best Practices Guide
It's yet to be seen what stance the Trump administration will take when it comes to the topic of cyber threat information sharing. But under the Cybersecurity Information Sharing Act passed by Congress and signed by former President Obama in 2015, the federal government has been trying to incentivize businesses to share cyber threat information with the federal government.
Under the legislation, an HHS task force over the last year has been studying the array of cyber challenges faced by the healthcare sector, and examining how other sectors are handling similar challenges.
Among the goals of the task force is identifying standards and best practices for improving cyber information sharing in the healthcare sector. David Finn, health IT officer at security firm Symantec and a member of the HHS task force, tells me the group is finishing up a report that it will submit to Congress at the end of March.
"The report is being drafted - it's been a very enlightening year. We have compared healthcare to other industries - and looked at what is working in healthcare and what is getting in the way," he says.
Medical Device Cybersecurity
Medical device cybersecurity should also be on the radar screens of healthcare sector entities participating in cyber information sharing activities, especially considering that mid-sized hospitals could have thousands of devices in use at their facilities.
During HIMSS17, leaders from NH-ISAC and the Medical Device Innovation Safety and Security consortium, or MDISS, discussed how their organizations are collaborating on ways to improve the sharing of information about the vulnerabilities of medical devices that have the potential to cause patient harm.
The groups are urging medical device makers - and any other healthcare players who discover medical device cyber vulnerabilities that have not yet caused patient harm - to report the problems to the new Medical Device Vulnerability Intelligence Program for Evaluation and Response, or MD-VIPER, website. (Of course, vulnerabilities that have already caused patient injury or death need to be reported to the Food and Drug Administration.)
The idea is to have information available to industry players about these vulnerabilities so that patches can be developed and applied before the flaws are exploited by bad actors.
Of course, an important goal of improved cyber information sharing is having healthcare sector entities actually take action once they're aware of vulnerabilities and other threats that could hurt their organizations or their patients. But too many healthcare organizations still lack a mature information security program.
"Hopefully, there will be a growing level of maturity as information sharing grows," said Michael McNeil, global product security and service officer of medical device maker Royal Philips, during a HIMSS17 presentation last week.
And OCR seems to be offering a similar message in advising covered entities and BAs to share and monitor information related to cyber threats and vulnerabilities: Knowing you have a problem is the first step toward solving it.