Preparedness for cyber-attacks is dominating conversations across the country, and the health sector must take action. That was the message from the HIMSS North America Board of Directors when they approved the new HIMSS Cybersecurity Policy Position Statement. Crafted as a result of a collaboration between the HIMSS Public Policy and Privacy and Security Committees and staff, the Call to action to fortify the health sector from cyber-attacks identifies potential solutions for the most pressing cyber challenges impacting the health sector.
Most significantly, it is clear that the health sector must improve its security posture. The cybersecurity “baseline” of many organizations has been drawn in view of cybersecurity being perceived as just a problem of information technology (“IT”) departments, without input from all stakeholders from the organization, and without meaningful exchange of cyber threat intelligence with peers and the Federal government. Many organizations still equate cybersecurity with HIPAA compliance. But, being HIPAA compliant does not guarantee that an organization’s protected health information will be safe and secure.
Given the vast amount of data being breached and large numbers of healthcare organizations being compromised by both insider and external threat actors (such as nation state and non-state actors, organized cybercriminals, and others), it is clear the health sector needs to change its attitude toward the adoption of cybersecurity practices. The “norm” nowadays is for a healthcare organization to react to a breach or cyber-attack and then invest in IT security tools, skilled cybersecurity personnel, and build a more robust program.
The health sector currently is too vulnerable to cyber-attacks and compromises. Patient safety hangs in the balance. As a critical infrastructure sector, the health sector cannot afford to wait any longer in revolutionizing our collective approach to cybersecurity and working collaboratively with the federal government and others towards a solution. It is only a matter of time before a patient is seriously injured or potentially dies as a result of a cyber-attack or compromise—unless all stakeholders make a commitment to work together to redraw a new baseline for the health sector.
To this end, the HIMSS Cybersecurity “Call to Action” focuses on three main points:
- The health sector should adopt a voluntary, universal information privacy and security framework with use cases and implementation guidance—scalable for a wide range of healthcare organizations and inclusive of small, medium, and large providers. The framework must enable use of the tools developed in accordance with Section 405 of the Cybersecurity Act of 2015 (codified at 6 U.S.C. 1533 (2016) (which was based on the 2015 HIMSS Cybersecurity Congressional Ask #2)), specifically the “voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures, and processes.” An example of such a framework is the NIST Cybersecurity Framework.
- The U.S. Department of Health and Human Services (HHS) should create a cyber leader role to be undertaken by an elevated Chief Information Security Officer with internal and external portfolios. The creation of this cyber leader role at HHS would mark a critically important step in elevating the security posture of health organizations across the nation.
- HHS and stakeholders in the health sector should work together to devise a plan of action to resolve the shortage of qualified cybersecurity personnel. Without sufficient staff, the cybersecurity program of a healthcare organization is unable to optimally function and may inevitably fail, due to such a shortage.
HIMSS encourages all healthcare organizations to help spread the word about the HIMSS Cybersecurity Call to Action and take a proactive, holistic approach to cybersecurity for the benefit of not only the welfare of their organizations, but—most importantly—the patients whom they are entrusted to care for.