Email phishing attacks, ransomware attacks and attacks against connected medical devices are among the greatest cyberthreats that health systems need to protect against, according to new cybersecurity guidance for health systems from the Department of Health and Human Services.
Released last week, the Health Industry Cybersecurity Practices were released to help the industry identify ways to reduce its risk from cyberthreats. The result of a two-year effort between HHS and private entities, the guidance fulfills a mandate of the Cybersecurity Act of 2015.
“Cybersecurity is everyone’s responsibility. It is the responsibility of every organization working in healthcare and public health," said Janet Vogel, HHS acting chief information security officer, in a release. "In all of our efforts, we must recognize and leverage the value of partnerships among government and industry stakeholders to tackle the shared problems collaboratively."
It's a far-reaching problem impacting organizations across healthcare from health systems to insurers on multiple fronts.
A study published in JAMA in November found that hackers took 133.8 million patient records between 2009 and 2017. Most recently, Atrium Health reported that a database of more than 2.6 million billing records of patients at Atrium Health—formerly Carolinas HealthCare System—was compromised by hackers.
But lawmakers have been expanding their focus to other threats in recent months. In November, a congressional committee asked HHS to begin drawing up plans to provide more transparency about cybersecurity risks within medical devices.
"The breadth and complexity of these threats complicate mitigation. This is not simply an IT problem. When threats and vulnerabilities are identified and assessed for potential impact, the most effective combination of safeguards and cybersecurity practices must be determined based on the organization's particular needs, exposures, resources, and capabilities," the report said (PDF).
It's a costly problem. The U.S. healthcare system lost $6.2 billion to data breaches in 2016, with 4 in 5 physicians experiencing some form of cybersecurity attack, the report said.
In order to mitigate future breaches, HHS provided a list of 10 areas for stakeholders to focus on to limit their vulnerabilities, including:
- Email protection systems
- Endpoint protection systems
- Access management
- Data protection and loss prevention
- Asset management
- Network management
- Vulnerability management
- Incident response
- Medical device security
- Cybersecurity policies
HHS acknowledged that the exact shape of these practices will vary depending on the type of entity employing them. It, therefore, provided guidance on several "sub-practices" for different-sized organizations in the technical volumes accompanying the report.