The healthcare industry has long been a preferred target of cybercriminals. This is due not only to the high value of protected health information (PHI) records, but also because the digitization of the industry’s technology infrastructure has created new ways for attackers to infiltrate healthcare systems.
Following the passage of the HITECH Act in 2009, the industry experienced a significant expansion in health information technology. Electronic Health Record (EHR) systems have made it easier to share information with patients and other providers, but they also make it easier for cybercriminals to find and leverage system vulnerabilities.
In 2015, Congress passed the Cybersecurity Information Sharing Act (CISA) to improve cybersecurity practices and make it easier for companies to share information related to cybersecurity threats with the government. Following the passage of CISA, the Department of Health and Human Services (HHS) established the Healthcare Industry Cybersecurity Task Force.
The goal of the Task Force is to improve healthcare cybersecurity practices. Its members represent a range of organizations within the healthcare industry, such as hospitals, insurers, IT vendors, and more.
In this article, we will cover what the Healthcare Industry Cybersecurity Task Force does to improve cybersecurity practices, analyze Task Force activity updates, and detail how solutions like WinZip® Enterprise can help healthcare organizations mitigate the ever-changing cybersecurity threats facing the industry.
History of the healthcare industry cybersecurity task force
The Healthcare Industry Cybersecurity Task Force first convened in March 2016. At the time of its formation, the healthcare industry had already suffered significant cybersecurity events, including:
Boston Children’s Hospital, 2014. The hacktivist group Anonymous launched a massive, sustained, distributed denial of service (DDoS) against the 395-bed facility in April 2014. The hospital spent more than a week fending off the cyberattack.
Anthem, Inc., 2015. A Chinese hacking group targeted and breached Anthem’s computer systems in 2015, compromising the data of nearly $80 million individuals. The stolen data included names, dates of birth, Social Security numbers, health identification numbers, and more. This incident is the largest healthcare data breach to this day.
Hollywood Presbyterian Medical Center, 2016. Hackers used malware to infect and seize control of the hospital’s computer systems in early 2015. Following the ransomware attack, Hollywood Presbyterian Medical Center paid a $17,000 ransom to restore its systems and operations.
Healthcare Industry Cybersecurity Task Force members spent a year analyzing cybersecurity concerns impacting healthcare systems. Task Force members held public meetings and met with industry leaders and stakeholders to identify trends, threats, concerns, and best practices related to cybersecurity.
The information and ideas gathered by the Task Force enabled its members to address key CISA requirements:
- Analyze how other critical industries address cybersecurity threats through various strategies and safeguards.
- Identify barriers and challenges that private entities in the healthcare sector face regarding preventing cyberattacks.
- Review challenges specific to securing networked medical devices as well as other software or systems connected to EHRs.
- Provide information and strategies to help healthcare entities strengthen their defense and response to cybersecurity threats.
- Establish a plan that enables healthcare organizations and the federal government to share actionable cyberthreat indicators and defensive processes.
Congress received the first Task Force report in June 2017, which detailed complex challenges the healthcare industry faces when it comes to securing and safeguarding against cybersecurity risks. The Report on Improving Cybersecurity in the Healthcare Industry also identified key imperatives for improving cybersecurity practices:
- Define leadership and governance for healthcare industry cybersecurity.
- Increase the security of medical devices and health IT.
- Develop the healthcare workforce capacity needed to prioritize cybersecurity awareness and technical abilities.
- Improve cybersecurity awareness and education.
- Protect research and development (R&D) efforts and intellectual property (IP) from cybersecurity threats.
- Enhance information sharing of threats, risks, and mitigations.
Task force year one update
HHS studied the Task Force’s report and worked across its agencies and offices to implement recommended changes. In the year following the Healthcare Industry Cybersecurity Task Force report, HHS took the following actions to address the report’s key imperatives:
Defining leadership and governance. The Deputy Secretary for HHS was designated as the lead official for all HSS cybersecurity measures. An internal working group was also established to coordinate cybersecurity activities, such as implementing the Task Force’s recommendations.
Increasing IT and medical device security. To address the challenges of securing medical devices and EHRs, the Food and Drug Administration (FDA), an HHS agency, developed the Medical Device Safety Action Plan. The plan prioritizes innovation to improve patient safety and develop more effective products and services to resolve unmet medical needs.
Developing the healthcare workforce capacity. HHS coordinated with National Initiative for Cybersecurity Education (NICE) to help lead its Federal IT Workforce Committee. The Department also leveraged the NICE Framework to improve its ability to attract, develop, and retain IT professionals in the health sector.
Improving cybersecurity awareness and education. HHS has prioritized cybersecurity outreach by offering continuing education and outreach activities, as well as online resources for non-technical audiences.
Protecting R&D and IP. Clinical trials, drug and device development, and even general healthcare operations can be opportunities for cybercriminals to commit healthcare intellectual property theft. To prevent attacks and unauthorized data exposure, HHS worked with the National Academies to add research institutions to HHS’s private sector critical infrastructure partnership.
Enhancing information sharing. To improve information sharing between the government and the healthcare industry, HHS developed executive and technical summaries on emerging cyberthreats and provided grants to promote information sharing across a wide range of healthcare entities.
Addressing the healthcare industry cybersecurity task force recommendations
The Healthcare Industry Cybersecurity Task Force report stated that healthcare cybersecurity was in critical condition back in 2017. Today, this assessment remains true. The healthcare industry has been the primary target of ransomware and other cyberattacks, making it critical for organizations to prioritize and improve their cybersecurity practices.
While the Healthcare Industry Cybersecurity Task Force disbanded after delivering their report, efforts to address the Task Force’s recommendations are ongoing. In the face of ever evolving cyberthreats, healthcare organizations turn to solutions such as WinZip Enterprise.
This powerful, customizable tool protects critical data through industry-leading encryption, management, sharing, backup, and compression capabilities. WinZip Enterprise also offers native integration with leading enterprise-grade cloud storage providers, providing unsurpassed protection for data at rest and in transit.