The Subcommittee on Oversight and Investigations of the United States Congress Committee on Energy and Commerce recently held a hearing reviewing the Department of Health and Human Services’ (HHS) role in cybersecurity. Chaired by Congressman Tim Murphy, the hearing focused on the review of two HHS reports required by the Cybersecurity Act of 2015: the “HHS Cyber Threat Preparedness Report” and the “The Health Care Industry Cybersecurity Task Force Report”. The reports detail HHS’ internal cybersecurity processes and provide industry recommendations for federal government and industry efforts to improve cybersecurity in the health care sector. The hearing and reports also addressed the creation of the Health Cybersecurity and Communications Integration Center (HCCIC) and the Health Care Industry Cybersecurity Task Force.
The Health Care Industry Cybersecurity Task Force report identified six imperatives:
- Defining and streamlining governance and expectations for health care industry cybersecurity;
- Increasing the security of medical devices and health IT;
- Creating the workforce capacity necessary to prioritize cybersecurity awareness and capabilities;
- Increasing readiness via cybersecurity awareness and education;
- Identifying methods to secure R&D efforts and intellectual property from attacks; and
- Improving information sharing programs to manage threats and weaknesses.
The HHS cybersecurity hearing occurred amidst the backdrop of the global “WannaCry” ransomware cyberattack, which was used as a case study to explain the reports’ findings. As with other cyberattacks, ransomware spreads through a phishing attack method. Such attacks involve tricking email recipients into installing malicious software that encrypts their system, causing the user to lose access to their documents. The user is then prompted to pay a ransom in order to have their system restored. Accordingly, healthcare providers have concerns about their business and the risk of Protected Health Information (PHI) breaches.
As highlighted during the recent Congressional hearing and in the reports, one of the major challenges is maintaining security across unique platforms and devices while providing appropriate and timely patient care. Striking the right balance between securing important data and protecting patient privacy needs requires continuous evaluation and adjustment. Although the health care and public health sector has improved its ability to manage cybersecurity events, the challenges continue. Health care organizations should therefore continually review their efforts to protect themselves against data breaches, malware, and ransomware.
Expert tips and reminders for safeguarding cyber security include the following:
- Do not assign cyber security responsibilities to someone at a low level in the organization;
- Ensure that software products are up to date with the most recent patches at all times;
- Establish an aggressive patching schedule for all software;
- Implement policies/procedures for precautions against malware;
- Train employees to avoid clicking on email links/attachments or responding to “phishing” inquiries;
- Regularly test users to make sure they are on guard;
- Configure email servers to block zip or other files that are likely to be malicious;
- Restrict permissions to areas of the network on a database access need;
- Grant system access using a need to know standard;
- Limit employee access to files on a single server to help avoid the spread of potential infections;
- Focus and prioritize security efforts on patient records;
- Conduct a risk analysis to identify ePHI vulnerabilities and ways to mitigate them;
- Maintain frequent data backups to permit restoration of lost data in case of an attack;
- Regularly take full snapshots of your data and store them offline;
- Monitor email carefully and do not open email attachments from unknown parties;
- Conduct regular systems tests to flag vulnerabilities before a hacker can gain access;
- Develop a business continuity plan to prevent down time;
- Maintain a disaster recovery and emergency operation plan;
- Prevent spread of infection by disconnecting infected systems from a network, disabling Wi-Fi, and removing USB sticks or connected external hard drives; and
- Establish real-time data backups to permit continuation of daily operations.
Congressional HHS Cybersecurity hearing materials are available at: https://energycommerce.house.gov/hearings-and-votes/hearings/examining-role-department-health-and-human-services-health-care.