AAMI News August 2017

Cybersecurity Task Force Highlights Hurdles Facing Healthcare

Task Force Recommendations

  1. Define and streamline leadership, governance, and expectations for healthcare industry cybersecurity.

  2. Increase the security and resilience of medical devices and health IT.

  3. Develop the healthcare workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.

  4. Increase healthcare industry readiness through improved cybersecurity awareness and education.

  5. Identify mechanisms to protect research and development efforts and intellectual property from attackers.

  6. Improve information sharing of industry threats, weaknesses, and mitigations.


“Healthcare cybersecurity is a key public health concern that needs immediate and aggressive attention,” according to a report by a federal task force. However, healthcare delivery organizations are hampered by a lack of resources, necessitating a “unified effort” among the public and private sectors.

“Many organizations ... have not crossed the digital divide in not having the technology resources and expertise to address current and emerging cybersecurity threats,” the Health Care Industry Cybersecurity Task Force wrote in its report. “These organizations often lack the infrastructure to identify and track threats, the capacity to analyze and translate the threat data they receive into actionable information, and the capability to act on that information.”

The 21 members of the Department of Health and Human Services’ Cybersecurity Task Force submitted their Report on Improving Cybersecurity in the Healthcare Industry to members of Congress earlier this summer.

Two of the most pressing issues identified in the report were the presence of “numerous unsupported legacy systems” and a “severe” workforce shortage.

“Both large and small healthcare delivery organizations struggle with numerous unsupported legacy systems that cannot easily be replaced (hardware, software, and operating systems) with large numbers of vulnerabilities and few modern countermeasures.” According to the report, “Industry will need to dramatically reduce the use of less defensible legacy and unsupported products, and more effectively reduce risk in future products through robust development and support strategies.”

The task force also recommended setting industry standards that would establish the minimum number of healthcare cybersecurity experts needed based on the size of the organization, similar to a California law that requires a minimum nurse-to-patient ratio.

For many healthcare delivery organizations, such changes might seem daunting, especially as most small, medium, and rural providers “face significant resource constraints.” To help counter these costs, the task force called on the federal government and industry to devise incentive models.

Industry groups, such as the College of Healthcare Information Management Executives (CHIME), welcomed the recommendation to offer incentives to encourage investment in cybersecurity.

“The report and the task force’s thoughtful recommendations come at a critical time, offering solutions to many of the challenges and opportunities our members have previously identified in their efforts to improve their organization’s cybersecurity hygiene,” CHIME President and CEO Russell Branzell said in a statement.