Recent ransomware attacks on hospitals elevated awareness of cyber threats health care providers face. The attacks forced hospitals to engage in technological regression by relying on hard-copy records and revealed aspects of the health sector that make cybersecurity difficult. These episodes also highlighted ways in which the health sector reflects problems experienced across the U.S. cybersecurity ecosystem. Improving health-sector cybersecurity requires addressing unique sector features and integrating the sector into efforts to strengthen U.S. cybersecurity generally. However, concerns about health-sector cybersecurity have intensified just as the politics of U.S. cybersecurity face uncertainty.
Providing health services puts individual well-being in the hands of governmental bodies and private-sector enterprises. Increasingly, such services depend on digital technologies, devices, and data. The benefits of the digital revolution are so significant that the responsibility, recognized in modern versions of the Hippocratic oath, to apply scientific advances for patient health encourages exploitation of information technologies. A ransomware attack on a hospital is not just another cybersecurity incident; it encroaches on matters of life and death.
Integrating digital technologies in health services creates repositories of sensitive and valuable patient, financial, physician, pharmaceutical, and insurance information and vulnerabilities in networks used by physicians, hospitals, and insurance companies. Expanding use of digital information, communications, services, and medical devices means the health sector’s attractiveness as a target for malevolent cyber activities and its “attack surface” will grow. This trajectory is global and forms a disturbing part of what the World Health Organization calls the “health internet.”
The need for health-sector cybersecurity was recognized before recent ransomware attacks. The Obama administration’s 2009 Cyberspace Policy Review highlighted the need to protect patient data as use of digital technologies advanced. The Department of Health and Human Services (HHS) developed a cybersecurity primer for health-sector activities. The U.S. government classifies the health sector as critical infrastructure subject to, among other things, the Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework).
The Food and Drug Administration (FDA) issued recommendations in 2013 for medical device manufacturers and health-care facilities to “take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyberattack.” The American Hospital Association (AHA) has been educating its members about cybersecurity threats, including its 2014 publication Cybersecurity and Hospitals. Both the FDA and AHA utilize the Cybersecurity Framework in efforts to strengthen cybersecurity. Federal law requires health-service providers to protect electronic health information and to notify individuals in cases of breaches of such information.
Despite these efforts and laws, cyber incidents involving the health sector have increased. Data indicate that, in 2015, health care was the most attacked and affected industry, suggesting that progress has been inadequate. The ransomware attacks in 2016 underscore problems with cybersecurity in the health sector. Many problems are familiar to every sector struggling with cyber threats, including:
- Difficulties with making cybersecurity an enterprise priority;
- Dependence on software, systems, and devices developed without sufficient attention to security;
- Inadequate use of protection measures (e.g., encryption);
- Threats arising from employee behavior and malicious insiders;
- Challenges in public-private cooperation, including information sharing; and
- Frustration with the U.S. government’s perceived failure to better protect U.S. cyberspace.
In response, Congress mandated in the Cybersecurity Information Sharing Act of 2015 (CISA) that HHS report to Congress by December 2016 on the preparedness of HHS and health-industry stakeholders in responding to cyber threats. CISA also required HHS establish a Health Care Industry Cybersecurity Task Force to:
- Analyze cybersecurity challenges the industry faces, including those from networked medical devices;
- Examine how other sectors have implemented cybersecurity strategies;
- Provide HHS with information to disseminate on strengthening health-sector cybersecurity; and
- Establish a plan to facilitate information sharing between health-sector entities and the federal government.
The Task Force held its first meeting in April and will have three more meetings before its mandate ends in March 2017. In its work, the Task Force will evaluate ideas on how to improve health-sector cybersecurity and its contributions to overall U.S. cybersecurity, such as the suggestion by CFR’s Robert Knake that tax credits for cybersecurity investments could benefit critical infrastructure sectors, including health.
The Task Force will complete its work after a new president and Congress take office, and whether its analysis will matter to the new administration’s and legislature’s cybersecurity priorities is not clear. Neither Donald Trump nor Hillary Clinton have issued, or are likely to release, positions on cybersecurity in the health sector. Rather, efforts in this sector will fall under general policies the new president and Congress will pursue, such as Clinton’s strategy against cyber attacks.
In this transition, the burden of turning the Task Force’s recommendations into action will fall on the government agencies and industry leaders that have grappled with this problem. Whether new initiatives on health-sector cybersecurity will take root in the next phase of American politics remains to be determined.