Health Care Industry Cybersecurity Task Force Report Identifies Imperatives for Reform

Health Care Industry Cybersecurity Task Force Report Identifies Imperatives for Reform

Blog WilmerHale Privacy and Cybersecurity Law

Several media organizations this week published a pre-release copy of the report of the Health Care Industry Cybersecurity Task Force established pursuant to the Cybersecurity Act of 2015. The report, written by a 21-member public-private group selected by the Secretary of Health and Human Services (HHS), identifies six “imperatives” for improving cybersecurity in the health care sector, with groups of concrete recommendations for action under each imperative.

Describing cybersecurity as “a key public health concern that needs immediate and aggressive attention,” the report describes a number of factors contributing to the critical state of health care cybersecurity, including the rapid move by many health care providers to electronic health record (EHR) systems—a transition incentivized by government subsidies—and the absence of a central regulatory authority with responsibility for cybersecurity across the health care industry. The six imperatives and some of the most noteworthy recommended action items are:

  • Define and streamline leadership, governance, and expectations for health care industry cybersecurity. The report recommends:
    • establishment of a “cybersecurity leader” role at HHS to help guide cybersecurity efforts in the health care sector;
    • creation of a “health care-specific” version of the Cybersecurity Framework developed by the National Institute of Standards and Technology; 
    • harmonization of cybersecurity laws and regulations affecting health care organizations;
    • consideration of amendments to the Physician Self-Referral Law (the “Stark Law”) and the Anti-Kickback Statute to permit larger
      health care entities to provide smaller partners with cybersecurity advice, technology, and expertise; and
    • adoption by regulators of a more lenient approach to security breaches caused by “mistakes and slips,” to encourage the sharing of information about breaches without fear of regulatory sanctions.
  • Increase the security and resilience of medical devices and health IT. The report recommends:
    • cooperation by vendors and health care providers to inventory and secure legacy systems;
    • adoption of “strong authentication to improve identity and access management” and “strategic and architectural approaches to reduce the attack surface” for both medical devices and EHR systems; and
    • creation of a Medical Computer Emergency Readiness Team that could be called upon to “coordinate medical device-specific responses to cybersecurity incidents and vulnerability disclosures.” 
  • Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities. The report recommends:
    • hiring by health care organizations of qualified cybersecurity personnel and establishment of leadership positions within their organizations with responsibility for cybersecurity; and
    • development of secure and cost-efficient storage solutions for smaller organizations to handle EHRs. 
  • Increase health care industry readiness through improved cybersecurity awareness and education. The report recommends:
    • education by health care organizations of their leadership about cybersecurity risks;
    • creation of a “conformity assessment model” that could be used to evaluate new technology and software for cybersecurity issues; and
    • development of more tools to enable consumers to manage and assess cybersecurity protections.
  • Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure. The report recommends:
    • additional academic research on methods for protecting health care data sets; and
    • creation of guidance for industry and academia on how to create an “economic impact analysis” describing the “cybersecurity risk for health care research and development.” 
  • Improve information-sharing concerning industry threats, weaknesses, and mitigations. The report recommends:
    • packaging cyber-risk information in a manner that allows persons with part-time cybersecurity responsibilities to act on it, with a focus on the cybersecurity needs of small and medium-sized health care providers; and 
    • greater information-sharing “across the health care industry.”

The Task Force’s report notes that it found the “engagement with other federal and private sector partners” to be very helpful, and suggests “the establishment of an ongoing public-private forum” to “enhance cybersecurity discussions and protections.” 


More from this series


Unless you are an existing client, before communicating with WilmerHale by e-mail (or otherwise), please read the Disclaimer referenced by this link.(The Disclaimer is also accessible from the opening of this website). As noted therein, until you have received from us a written statement that we represent you in a particular manner (an "engagement letter") you should not send to us any confidential information about any such matter. After we have undertaken representation of you concerning a matter, you will be our client, and we may thereafter exchange confidential information freely.

Thank you for your interest in WilmerHale.