From HHS to the FDA, participants are tackling the problem from several angles.
Nearly every week brings news of a cyberattack or data breach in healthcare, reinforcing analyses that found the industry to be among the most vulnerable to hackers. This week, for example, news of a cyberattack against LabCorp broke, following a ransomware incident that caused a Missouri hospital to divert some ambulances.
But amid the chaos and immeasurable risk to patients, leaders from health systems, government agencies and the rest of healthcare are trying to forge a path toward stronger cybersecurity. The Healthcare and Public Health Sector Coordinating Council (HSCC), formed under presidential executive order, has emerged as a key aggregator of industry stakeholders, and its members recently met to discuss cybersecurity vulnerabilities and potential safeguards.
>> READ: WannaCry, NotPetya, and Cyberwarfare’s Threat to Healthcare
“As cyberthreats against the healthcare sector proliferate and become more sophisticated, we have realized that we can best mobilize against them as a collaboration, with strength in numbers and expertise,” Greg Garcia, executive director of HSCC Joint Cybersecurity Working Group, said at a late June meeting, which was publicized this week. “And if we’re successful, we’re never done — only better.”
The HSCC gathering attracted representatives from more than 100 healthcare organizations, including providers, industry associations, pharma companies, medical device manufacturers and health information technology (IT) firms. They assembled to “report and build on their collective progress” toward launching more powerful cybersecurity systems in healthcare, a response to six high-level imperatives and 105 action-item recommendations made by a Department of Health & Human Services (HHS) task force.
Earlier this year, the HSCC working group developed 13 task groups to implement those ideas. June’s meeting served as something of a barometer — a tool to assess their progress and to “accelerate momentum toward meeting [their] collective cybersecurity challenges,” according to the HSCC.
What they found is growing buy-in: Since January, private-sector membership in the HSCC jumped from 60 to 190; industry association membership climbed from 5 to 30; private healthcare employee membership climbed from 58 to 307; and industries like pharma, health IT, insurance and medical device manufacturing have joined the cause.
Further, private companies are “working closely” with the Food and Drug Administration to establish cybersecurity guidelines for medical devices, developing a joint plan for all stakeholders. FDA Commissioner Scott Gottlieb, M.D., took to Twitter this afternoon to announce that this particular task group plans to seek comment on a software bill of materials for medical devices, which would shine a light on the software components used in a given piece of technology.
“Knowing what software is included in a device means users and manufacturers can better assess and remediate potential cybersecurity threats that may emerge,” he said.
Other task groups are exploring how to secure “critical intellectual property” such as pharmaceutical research; clinician cybersecurity training and how healthcare can recruit more data-protection experts; the development of best practices; and everything from supply chain and telemedicine risk management to marketing and regulation.
The HSCC working group is scheduled to meet next in October.
Get the best insights in healthcare analytics directly to your inbox.
The Worst Healthcare Cybersecurity Breaches of 2017
What Keeps Healthcare Cybersecurity Innovators Up at Night