The independent, Congressionally mandated Health Care Industry Cybersecurity Task Force released its report last week, setting out their findings about the state of security in America's health technology (very, very, very bad) and their recommendations (basic commonsense cybersecurity 101).
Critically, the report says that without direct, meaningful, extensive government intervention, the problems cannot be fixed. Given the current regulatory climate, it's unlikely that this will happen.
The report found that the current dismal state was due primarily to two factors: "premature and excessive connectivity" (buying Internet of Things technology before it was ready for primetime) and "a severe lack of security talent in the industry" (hospitals can't bid against tech giants and startups for IT and security talent).
The problems were accelerated by Congressional incentives to adopt and spread electronic health records, and Medicare and Medicaid's "Merit-Based Incentive Payment System," which caused hospitals and doctors to rush into technology they couldn't support and didn't understand.
The task force's recommendations are very straightforward: "define governance expectations," "increase security," "develop cybersecurity capacity in the healthcare workforce," "increase cybersecurity preparedness," "identify mechanisms to protect systems", and "improve industry sharing" of threat-related intel.
So, just that.
It was clear to everyone on the task force, Corman noted, that there were no technical barriers to a "sustained denial of patient care like what happened at Hollywood Presbyterian, on purpose" at virtually any healthcare facility in the United States. "I said we all make fun of security through obscurity, but what if that's all we have?" Corman recounted. "Seriously. What if that's all we have?"
Given that untargeted and incidental attacks on hospitals have already happened, it seems inevitable that someone will carry out a targeted attack at some point. Corman said that increases the importance of doing disaster planning and simulations now to optimize responses, "so we can see who needs to have control—is it FEMA, the White House, DHS, HHS, the hospitals? We drill with our kids what you're supposed to do in a fire. Before we have a boom, we need to prioritize simulations, practice, and disaster planning."
Another part of planning for the post-attack scenario—or "right of boom"—is to make sure that the right supports are in place to quickly recover. "We need to make sure that we've done enough scaffolding now so that we can have a more elegant response," Corman said, "because if this looks like Deepwater Horizon, and we're on the news every night, every week, gushing into the Gulf, that's going to shatter confidence. If we have a prompt and agile response, maybe we can mitigate the harm."
REPORT ON IMPROVING CYBERSECURITY IN THE HEALTH CARE INDUSTRY [Health Care Industry Cybersecurity Task Force]
Task force tells Congress health IT security is in critical condition
[Sean Gallagher/Ars Technica]