- A healthcare industry cybersecurity taskforce recently submitted a report to Congress analyzing and addressing various issues with healthcare security including problems unique to EHR technology.
The task force was initially convened in March of 2016 by HHS and consisted of members representing organizations ranging from hospitals to pharmaceutical companies.
Throughout the year, taskforce members shared information regarding cybersecurity best practices, trends, threats, and general concerns regarding health IT safety.
The task force also posted blogs encouraging the public to submit feedback and present ideas the taskforce could draw from when addressing requirements of the Cybersecurity Act of 2015.
Ultimately, the taskforce devised the following six imperatives to increase current levels of health IT security:
The second item on the list specifically targets ways stakeholders should promote innovation and upgrade medical devices and EHR systems to prevent cybersecurity attacks.
The first recommendation falling under the umbrella of the second imperative addresses unique EHR security threats and how stakeholders can secure these systems.
“Many of these legacy systems have security weaknesses, which may contribute to the compromise of provider networks and systems,” stated authors. “Every vendor and health care organization should be able to identify and classify legacy systems and develop an approach (e.g., compensating controls, device update, device retirement, network segmentation, or innovative architectures) to mitigate the associated risks.”
To address risks associated with legacy systems, the task force urges that providers frequently assess and mitigate problems with operating systems and EHRs in accordance with the following four action items:
Upgrading EHR systems to keep pace with rapidly evolving cybersecurity threats and engaging risk reduction strategies on a regular basis ensures weak spots in security will not slide under the radar leaving systems vulnerable to attack.
Task force authors also emphasized the importance of increasing security measures in EHRs in all facets of EHR use and development from design to operation and maintenance.
“Manufacturers and developers should plan for operations and maintenance to ensure continuous monitoring, ongoing patching, and weakness remediation,” stated authors.
Additionally, the task force stated risk assessments should take regulatory boundaries into consideration.
“Industry should develop processes for assessing risks for integrated systems that cross regulatory boundaries, such as EHRs and medical devices,” stated authors.
The task force also encouraged stakeholders to reduce the attack surface for EHRs and interfaces between EHRs and medical devices through strategic interoperability.
“Manufacturers should focus on architecturally supporting security interoperability for their products that validate and leverage health care delivery organizations existing security control,” wrote authors.
Promoting frequent security checks, EHR updates, and security interoperability could assist providers in safeguarding their EHR systems from cybersecurity threats.
The task force also recommended stronger authentication to improve identity access to EHRs for healthcare providers and patients and improved manufacturing and development transparency.
These recommendations are intended to help stakeholders ramp up the security of EHR systems and improve overall security in the healthcare industry when combined with the other six listed imperatives.