Improving Cybersecurity in the Health Care Industry: Report of the Health Care Industry Cybersecurity Task Force - Risks to Medical Devices and IT Systems, Working in the Open Culture of Health Care

This excellent report has been professionally converted for accurate flowing-text e-book format reproduction.

Now more than ever, all health care delivery organizations have a greater responsibility to secure their systems, medical devices, and patient data. Most health care organizations face significant resource constraints as operating margins can be below one percent. Many organizations cannot afford to retain in-house information security personnel, or designate an information technology (IT) staff member with cybersecurity as a collateral duty. These organizations often lack the infrastructure to identify and track threats, the capacity to analyze and translate the threat data they receive into actionable information, and the capability to act on that information. Many organizations also have not crossed the digital divide in not having the technology resources and expertise to address current and emerging cybersecurity threats. These organizations may not know that they have experienced an attack until long after it has occurred. Additionally, both large and small health care delivery organizations struggle with numerous unsupported legacy systems that cannot easily be replaced (hardware, software and operating systems) with large numbers of vulnerabilities and few modern countermeasures. Industry will need to dramatically reduce the use of less defensible legacy and unsupported products, and more effectively reduce risk in future products through robust development and support strategies.

To identify a wide range of threats that affect the health care industry, the Task Force relied on information gathered during public meetings, briefings and consultations with experts on a variety of topics across health care and other critical infrastructure sectors, internal Task Force meetings, and responses to blog posts. The Task Force's activities resulted in the development of recommendations that will collectively help increase security across the health care industry. The Task Force identified six high-level imperatives by which to organize its recommendations and action items. The imperatives are: 1. Define and streamline leadership, governance, and expectations for health care industry cybersecurity. 2. Increase the security and resilience of medical devices and health IT. 3. Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities. 4. Increase health care industry readiness through improved cybersecurity awareness and education. 5. Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure. 6. Improve information sharing of industry threats, weaknesses, and mitigations.

Members of the Task Force * Executive Summary * I. Health Care Industry Cybersecurity Task Force Charge and Approach * II. The State of Cybersecurity within the Health Care Industry * III. Risks across the Health Care Industry * IV. Imperatives, Recommendations, and Action Items * Imperative 1. Define and streamline leadership, governance, and expectations for health care industry cybersecurity * Imperative 2. Increase the security and resilience of medical devices and health IT * Imperative 3. Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities * Imperative 4. Increase health care industry readiness through improved cybersecurity awareness and education * Imperative 5. Identify mechanisms to protect R&D efforts and intellectual property from attacks or exposure * Imperative 6. Improve information sharing of industry threats, risks, and mitigations * V. Future Considerations