Healthcare Industry Cybersecurity Task Force report- June 2017

Recently a report came out from the "Health Care Industry Cybersecurity Task Force".  This group was formed by Congress as part of the Cybersecurity Act of 2015.  The task force is made up of a diverse group from the healthcare industry, taking a look at the state of cybersecurity and how it can be improved.

You can read the report HERE.

At nearly 100 pages, it's a bit much to slog thru.  At a minimum, read over the executive summary.  As someone who works with healthcare clients, their findings are not a surprise to me.  They have a figure:

which points out some of this issues.  Lack of talent- yes.  Not that there is no talent, but that many orgs don't have enough people on board.  Smaller orgs can't afford to, sometimes outsourcing their IT to vendors who themselves may not have the right skills.  (it's one thing to go with a managed security service provider who hopefully knows healthcare, it's another to go with some local IT guys who has no idea of security or the issues facing healthcare)
Legacy equipment- wow.  yes.  Big problem as the vendors aren't supporting or updating these systems, and the orgs can't.  Most orgs don't understand that there are some solutions (isolated networks and the like) for this.  Over-connectivity ties back to lack of talent.  When you don't have people on board who can properly set things up, problems will arise.  Vulnerabilities impact- this is stuff like ransomware and the like hitting groups, which often was caused by not have the right talent in place to get things in a good shape.

Some of these actually interconnect.  Healthcare IT is behind everyone else.  Too many organizations have, for various reasons, not invested in IT.  This means they have not worked to get enough people on board with the right skills and given them the budget to setup things up well.

They define 6 imperatives:

1. Define and streamline leadership, governance, and expectations for health care industry cybersecurity.
2. Increase the security and resilience of medical devices and health IT.
3. Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
4. Increase health care industry readiness through improved cybersecurity awareness and education.
5. Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure.
6. Improve information sharing of industry threats, weaknesses, and mitigations.

The report spends quite a bit of time on a variety of recommendations and action items off of these imperatives.

Check it out and add your comments.