New cybersecurity measures specifically for the healthcare industry have been added to the Omnibus bill signed into law by Congress late last week. The aim of their inclusion is to help healthcare organizations tackle the growing danger of cyberattacks, and supply them with the information and guidance necessary to let them to shore up their defenses, plug security gaps and make them less susceptible to cyberattacks. This new legislation is included in the Cybersecurity Information Sharing Act, passed by Congress on Friday.
One of the ways that the new legislation will assist healthcare organizations is with the formation of a new Cybersecurity Task Force. This is due to take place during the first 90 days after the introduction of the new legislation. The purpose of the task force is to assess the current cyber threats that pose a threat to the healthcare industry. The means used by cybercriminals to penetrate security defenses will be analyzed and vulnerabilities assessed. The task force will also examine how other industries are managing to repel attacks. Healthcare organizations will then be given guidance on the best actions to take to improve their defenses.
The data held by healthcare providers and insurers is highly valuable to cybercriminals, much more so than credit card numbers. Consequently, hackers have been attacking healthcare organizations with increased frequency and vigor. More sophisticated methods of attack are being formulated and the industry has been struggling to cope with the targeting. Budgetary constraints have also made it difficult for healthcare organizations to put in place appropriate defenses to deal with the rapidly changing manner of threats.
One of the main issues faced by small to medium-sized healthcare organizations is how to gain access to vital cybersecurity intelligence in real-time. Such data must be made available to healthcare organizations if cybersecurity attacks are to be effectively tackled, which means that information must be made available free of charge.
At present, only large well-funded healthcare organizations are able to gain access to this information. Smaller healthcare providers simply do not have the funds necessary to gather the required intel.
The Healthcare Information Management Systems Society (HIMSS) has played a pivotal role in getting these new provisions introduced into the legislation. HIMSS has long called for more support to be given to the healthcare industry by the government to help organizations deal with new cybersecurity threats. Numerous conversations have been held between HIMSS and the Committee of Health, Education, Labor and Pensions. A number of recommendations made by HIMSS are now due to be acted upon.
The Department of Health and Human Services will also be asked to work more closely with the Department of Homeland Security, and along with guidance from NIST, will devise a new set of cybersecurity standards and best practices for healthcare organizations to adopt. New guidelines are to be produced which will allow healthcare organizations to draw up policies to deal with the current risk of cyberattacks and secure the Protected Health Information of patients more effectively.