Tuesday, November 28, 2017

6 Imperatives for improving cybersecurity in healthcare

PARCA eNews – Nov. 23, 2017 – The House Committee on Energy and Commerce is calling on HHS to act promptly on all recommendations for medical device security suggested by the Healthcare Cybersecurity Task Force, which published its recommendations last June.

That task force was formed by the 2015 Cybersecurity Act passed by Congress to help identify and address the unique challenges of securing data and information against cyberattacks faced by the healthcare industry.

Earlier this year, the Cybersecurity Task Force published its review and recommendations for medical device security that included 6 imperatives:

1. Define and streamline leadership, governance, and expectations for healthcare industry cybersecurity

2. Increase the security and resilience of medical devices and health IT

3. Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities

4. Increase healthcare industry readiness through improved cybersecurity awareness and education

5. Identify mechanisms to protect $&D efforts and intellectual property from attacks or exposure

6. Improve information sharing of industry threats, risks, and mitigations

Among the recommendations for medical device technologies was a call for manufacturers to provide a Bill of Materials for devices that would allow healthcare organizations to make security decisions and identify vulnerabilities.

In the letter, House Committee on Energy and Commerce Chair Greg Walden (D-OR) pointed to the NotPetya and WannaCry ransomware attacks that exploited a vulnerability in Windows Server Message Block (SMBv1), that left healthcare organizations scrambling to determine which technologies were using or leveraging SMBv1.

Such a Bill of Materials for electronic devices could require a list of components used on the printed wiring board or printed circuit board as well as the open source and commercial software and firmware used.

Other action items called for in the Task Force report included calling on healthcare accreditation organizations, such as the Joint Commission, to consider incentives, requirements and/or guidelines for use of unsupported system and mitigation strategies, real-time updates and patches and phasing out legacy and insecure healthcare technologies.

The full Task Force Report is available here.

No comments:

Post a Comment